Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: OpenKM Web Application

com.openkm:openkm:6.3.12

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
AlertExpirationNotification.jar 08
ExpirationNotification.jar 08
InitialNotification.jar 08
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 026
active-line.js 00
ant-1.7.0.jarcpe:2.3:a:apache:ant:1.7.0:*:*:*:*:*:*:*pkg:maven/org.apache.ant/ant@1.7.0MEDIUM3Highest23
ant-launcher-1.7.0.jarcpe:2.3:a:apache:ant:1.7.0:*:*:*:*:*:*:*pkg:maven/org.apache.ant/ant-launcher@1.7.0MEDIUM1Highest21
antlr-2.7.6.jarpkg:maven/antlr/antlr@2.7.6 016
antlr-runtime-3.5.jarcpe:2.3:a:temporal:temporal:3.5:*:*:*:*:*:*:*pkg:maven/org.antlr/antlr-runtime@3.5 0Low39
anyword-hint.js 00
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 020
apl.js 00
ar.js 00
ar_SA.js 00
asm-5.2.jarpkg:maven/org.ow2.asm/asm@5.2 028
asterisk.js 00
audioformats-0.15.jarpkg:maven/entagged.audioformats/audioformats@0.15 017
avalon-framework-api-4.3.1.jarpkg:maven/org.apache.avalon.framework/avalon-framework-api@4.3.1 027
avalon-framework-impl-4.3.1.jarpkg:maven/org.apache.avalon.framework/avalon-framework-impl@4.3.1 027
aws-java-sdk-1.3.0.jarcpe:2.3:a:amazon:aws-sdk-java:1.3.0:*:*:*:*:*:*:*pkg:maven/com.amazonaws/aws-java-sdk@1.3.0MEDIUM1Highest35
az.js 00
batik-bridge-1.7.jarcpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:xml_graphics_batik:1.7:*:*:*:*:*:*:*
pkg:maven/org.apache.xmlgraphics/batik-bridge@1.7CRITICAL12Highest25
batik-js-1.7.jarcpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:xml_graphics_batik:1.7:*:*:*:*:*:*:*
pkg:maven/org.apache.xmlgraphics/batik-js@1.7CRITICAL9Highest20
bcprov-jdk15on-1.52.jarcpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.52:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.52:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.52:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.52:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.52:*:*:*:*:*:*:*
pkg:maven/org.bouncycastle/bcprov-jdk15on@1.52HIGH17Highest54
be.js 00
beanshell2-2.1.8.jarcpe:2.3:a:beanshell:beanshell:2.1.8:*:*:*:*:*:*:*pkg:maven/com.google.code/beanshell2@2.1.8 0Highest12
bg_BG.js 00
biblioteca.js 00
bn_BD.js 00
bootstrap.jspkg:javascript/bootstrap@3.3.6MEDIUM73
bootstrap.min.jspkg:javascript/bootstrap@3.3.6MEDIUM73
brace-fold.js 00
bs.js 00
ca.js 00
cas-client-core-3.3.3.jarpkg:maven/org.jasig.cas.client/cas-client-core@3.3.3 025
castor-core-1.3.3.jarcpe:2.3:a:castor_project:castor:1.3.3:*:*:*:*:*:*:*pkg:maven/org.codehaus.castor/castor-core@1.3.3 0Highest23
catch-exception-1.2.0.jarpkg:maven/com.googlecode.catch-exception/catch-exception@1.2.0 020
chemistry-opencmis-commons-api-0.12.0.jarpkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-commons-api@0.12.0 035
chemistry-opencmis-commons-impl-0.12.0.jarpkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-commons-impl@0.12.0 035
chemistry-opencmis-server-bindings-0.12.0.jarpkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0 029
chemistry-opencmis-server-support-0.12.0.jarpkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0 029
chosen.jquery.js 00
clike.js 00
clojure.js 00
closebrackets.js 00
closetag.js 00
cobol.js 00
codemirror.js 00
coffeescript-lint.js 00
coffeescript.js 00
colorize.js 00
colorpicker.js 00
comment-fold.js 00
comment.js 00
commonlisp.js 00
commons-beanutils-1.8.3.jarcpe:2.3:a:apache:commons_beanutils:1.8.3:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.8.3HIGH2Highest110
commons-cli-1.2.jarpkg:maven/commons-cli/commons-cli@1.2 068
commons-codec-1.5.jarpkg:maven/commons-codec/commons-codec@1.5 098
commons-collections-3.1.jarcpe:2.3:a:apache:commons_collections:3.1:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.1HIGH1Highest62
commons-compress-1.19.jarcpe:2.3:a:apache:commons_compress:1.19:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-compress@1.19HIGH5Highest95
commons-digester-2.1.jarpkg:maven/commons-digester/commons-digester@2.1 098
commons-fileupload-1.3.2.jarcpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*pkg:maven/commons-fileupload/commons-fileupload@1.3.2CRITICAL2Highest110
commons-httpclient-3.1.jarcpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*
pkg:maven/commons-httpclient/commons-httpclient@3.1MEDIUM2Highest91
commons-io-2.4.jarcpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.4MEDIUM1Highest109
commons-lang-2.6.jarpkg:maven/commons-lang/commons-lang@2.6 0122
commons-lang3-3.2.1.jarpkg:maven/org.apache.commons/commons-lang3@3.2.1 0120
commons-logging-1.1.1.jarpkg:maven/commons-logging/commons-logging@1.1.1 0106
continuecomment.js 00
continuelist.js 00
core-1.47.1.jarpkg:maven/com.google.gdata/core@1.47.1 032
core-2.2.jarpkg:maven/com.google.zxing/core@2.2 018
crontab-parser-1.0.1.jarpkg:maven/com.kenai.crontab-parser/crontab-parser@1.0.1 026
cryptacular-1.1.1.jarcpe:2.3:a:vt:cryptacular:1.1.1:*:*:*:*:*:*:*pkg:maven/org.cryptacular/cryptacular@1.1.1HIGH1Highest37
cs.js 00
css-hint.js 00
css-lint.js 00
css.js 00
cxf-core-3.2.6.jarcpe:2.3:a:apache:cxf:3.2.6:*:*:*:*:*:*:*pkg:maven/org.apache.cxf/cxf-core@3.2.6CRITICAL11Highest42
cxf-rt-rs-service-description-swagger-3.2.6.jarcpe:2.3:a:apache:cxf:3.2.6:*:*:*:*:*:*:*
cpe:2.3:a:service_project:service:3.2.6:*:*:*:*:*:*:*
pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6CRITICAL10Highest35
cxf-rt-wsdl-3.2.6.jarcpe:2.3:a:apache:cxf:3.2.6:*:*:*:*:*:*:*pkg:maven/org.apache.cxf/cxf-rt-wsdl@3.2.6CRITICAL10Highest35
cy.js 00
d.js 00
da.js 00
de.js 00
de_AT.js 00
debugger.js 00
dialog.js 00
diff.js 00
diff_match_patch.js 00
django.js 00
dnsjava-2.0.8.jarpkg:maven/dnsjava/dnsjava@2.0.8 025
docx4j-3.1.0.jarpkg:maven/org.docx4j/docx4j@3.1.0 032
dom4j-1.6.1.jarcpe:2.3:a:dom4j_project:dom4j:1.6.1:*:*:*:*:*:*:*pkg:maven/dom4j/dom4j@1.6.1CRITICAL2Highest120
dozer-5.3.2.jarcpe:2.3:a:dozer_project:dozer:5.3.2:*:*:*:*:*:*:*pkg:maven/net.sf.dozer/dozer@5.3.2CRITICAL1Highest40
dtd.js 00
dv.js 00
dylan.js 00
ecj-4.4.2.jarpkg:maven/org.eclipse.jdt.core.compiler/ecj@4.4.2 028
ecl.js 00
ehcache-core-2.4.3.jarpkg:maven/net.sf.ehcache/ehcache-core@2.4.3 027
eiffel.js 00
el.js 00
en_CA.js 00
en_GB.js 00
encoder-1.1.jarpkg:maven/org.owasp.encoder/encoder@1.1
pkg:maven/org.owasp/encoder@1.1
 024
erlang.js 00
es.js 00
et.js 00
eu.js 00
fa.js 00
fi.js 00
fixedTableHeader.js 00
flexpaper_flash.js 00
fo.js 00
foldcode.js 00
foldgutter.js 00
fontbox-2.0.13.jarpkg:maven/org.apache.pdfbox/fontbox@2.0.13 031
fop-1.1.jarpkg:maven/org.apache.xmlgraphics/fop@1.1 051
fortran.js 00
fr_FR.js 00
freemarker-2.3.16.jarpkg:maven/org.freemarker/freemarker@2.3.16 024
fullscreen.js 00
gas.js 00
gd.js 00
gfm.js 00
gherkin.js 00
gl.js 00
go.js 00
google-api-client-1.20.0.jarpkg:maven/com.google.api-client/google-api-client@1.20.0 023
google-http-client-1.20.0.jarpkg:maven/com.google.http-client/google-http-client@1.20.0 023
google-http-client-jackson2-1.20.0.jarpkg:maven/com.google.http-client/google-http-client-jackson2@1.20.0 021
google-oauth-client-1.20.0.jarcpe:2.3:a:google:oauth_client_library_for_java:1.20.0:*:*:*:*:*:*:*pkg:maven/com.google.oauth-client/google-oauth-client@1.20.0CRITICAL2Low21
google-oauth-client-java6-1.11.0-beta.jarcpe:2.3:a:google:oauth_client_library_for_java:1.11.0:beta:*:*:*:*:*:*pkg:maven/com.google.oauth-client/google-oauth-client-java6@1.11.0-betaCRITICAL2Low22
google-oauth-client-jetty-1.11.0-beta.jarcpe:2.3:a:google:oauth_client_library_for_java:1.11.0:beta:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:1.11.0:beta:*:*:*:*:*:*
pkg:maven/com.google.oauth-client/google-oauth-client-jetty@1.11.0-betaCRITICAL2Highest22
groovy-all-minimal-1.5.8.jarcpe:2.3:a:all-for-one:all_for_one:1.5.8:*:*:*:*:*:*:*pkg:maven/org.codehaus.groovy/groovy-all-minimal@1.5.8 0Low229
groovy.js 00
gson-2.2.4.jarcpe:2.3:a:google:gson:2.2.4:*:*:*:*:*:*:*pkg:maven/com.google.code.gson/gson@2.2.4HIGH1Highest41
guava-20.0.jarcpe:2.3:a:google:guava:20.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@20.0HIGH3Highest20
gwt-incubator-2.1.0.jarpkg:maven/com.google.gwt/gwt-incubator@2.1.0 016
gwt-log-3.3.1.jarcpe:2.3:a:google:gmail:3.3.1:*:*:*:*:*:*:*pkg:maven/com.allen-sauer.gwt.log/gwt-log@3.3.1 0Low29
gwt-servlet-2.8.2.jar (shaded: com.google.protobuf:protobuf-java:2.5.0)cpe:2.3:a:google:protobuf-java:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:protobuf:protobuf:2.5.0:*:*:*:*:*:*:*
pkg:maven/com.google.protobuf/protobuf-java@2.5.0HIGH3Highest14
gwt-servlet-2.8.2.jarpkg:maven/com.google.gwt/gwt-servlet@2.8.2 018
gwt-user-2.8.2.jarcpe:2.3:a:user_project:user:2.8.2:*:*:*:*:*:*:*pkg:maven/com.google.gwt/gwt-user@2.8.2 0Highest20
gwt-user-2.8.2.jar: closurehelpers.js 00
gwt-user-2.8.2.jar: initWindowCloseHandler.js 00
gwt-user-2.8.2.jar: initWindowResizeHandler.js 00
gwt-user-2.8.2.jar: initWindowScrollHandler.js 00
gwt-vl-2.0b-without-hibernate.jarpkg:maven/eu.maydu.gwt/gwt-vl@2.0b
pkg:maven/gwt-vl.sourceforge.net/gwt-vl@2.0b-without-hibernate
 024
hamcrest-core-1.3.jarpkg:maven/org.hamcrest/hamcrest-core@1.3 024
haml.js 00
hardwrap.js 00
haskell.js 00
haxe.js 00
he_IL.js 00
hibernate-commons-annotations-3.2.0.Final.jarpkg:maven/org.hibernate/hibernate-commons-annotations@3.2.0.Final 040
hibernate-core-3.6.10.Final.jarcpe:2.3:a:hibernate:hibernate_orm:3.6.10:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-core@3.6.10.FinalHIGH2Low26
hibernate-jpa-2.0-api-1.0.1.Final.jarpkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final 045
hibernate-search-3.4.2.Final.jarcpe:2.3:a:hibernate:hibernate_orm:3.4.2:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-search@3.4.2.FinalHIGH2Low24
hibernate-validator-4.2.0.Final.jar (shaded: com.googlecode.jtype:jtype:0.1.1)pkg:maven/com.googlecode.jtype/jtype@0.1.1 015
hibernate-validator-4.2.0.Final.jarcpe:2.3:a:redhat:hibernate_validator:4.2.0:*:*:*:*:*:*:*pkg:maven/org.hibernate/hibernate-validator@4.2.0.FinalHIGH3Highest31
hr.js 00
html-hint.js 00
html5gwt-140127.jarpkg:maven/com.github.akjava/html5gwt@140127 016
htmlembedded.js 00
htmlmixed.js 00
http.js 00
httpclient-4.0.1.jarcpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.0.1MEDIUM5Highest30
httpcore-4.0.1.jarpkg:maven/org.apache.httpcomponents/httpcore@4.0.1 022
hu_HU.js 00
hy.js 00
icu4j-50.1.1.jarcpe:2.3:a:icu-project:international_components_for_unicode:50.1.1:*:*:*:*:*:*:*
cpe:2.3:a:unicode:international_components_for_unicode:50.1.1:*:*:*:*:*:*:*
pkg:maven/com.ibm.icu/icu4j@50.1.1 0Low78
id.js 00
indent-fold.js 00
is_IS.js 00
it.js 00
itext-2.1.7.js6.jarcpe:2.3:a:itextpdf:itext:2.1.7.js6:*:*:*:*:*:*:*pkg:maven/com.lowagie/itext@2.1.7.js6HIGH3High47
ja.js 00
jackson-annotations-2.9.0.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.9.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0MEDIUM1Low37
jackson-core-2.9.7.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.9.7:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7MEDIUM1Low45
jackson-core-asl-1.9.11.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.11 032
jackson-databind-2.9.7.jarcpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.9.7:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7CRITICAL58Highest41
jackson-dataformat-yaml-2.8.9.jarcpe:2.3:a:fasterxml:jackson-dataformat-xml:2.8.9:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.8.9 0Highest40
jade.js 00
jakarta-regexp-1.4.jarpkg:maven/jakarta-regexp/jakarta-regexp@1.4 014
jashi-2008.07.31.jarpkg:maven/net.sourceforge/jashi@2008.07.31 016
jasperreports-6.4.3.jarcpe:2.3:a:tibco:jasperreports_library:6.4.3:*:*:*:*:*:*:*pkg:maven/net.sf.jasperreports/jasperreports@6.4.3HIGH*3Low46
jasperreports-6.4.3.jar: jasperreports-ajax.js 00
jasperreports-6.4.3.jar: jasperreports-component-registrar.js 00
jasperreports-6.4.3.jar: jasperreports-event-manager.js 00
jasperreports-6.4.3.jar: jasperreports-loader.js 00
jasperreports-6.4.3.jar: jasperreports-map.js 00
jasperreports-6.4.3.jar: jasperreports-report-processor.js 00
jasperreports-6.4.3.jar: jasperreports-report.js 00
jasperreports-6.4.3.jar: jasperreports-status-checker.js 00
jasperreports-6.4.3.jar: jasperreports-url-manager.js 00
jasperreports-6.4.3.jar: jasperreports-viewer.js 00
jasperreports-6.4.3.jar: jive.column.js 00
jasperreports-6.4.3.jar: jive.crosstab.interactive.js 00
jasperreports-6.4.3.jar: jive.crosstab.js 00
jasperreports-6.4.3.jar: jive.interactive.column.js 00
jasperreports-6.4.3.jar: jive.interactive.sort.js 00
jasperreports-6.4.3.jar: jive.js 00
jasperreports-6.4.3.jar: jive.sort.js 00
jasperreports-6.4.3.jar: jive.table.js 00
jasperreports-6.4.3.jar: process.js 00
jasypt-1.9.2.jarcpe:2.3:a:jasypt_project:jasypt:1.9.2:*:*:*:*:*:*:*pkg:maven/org.jasypt/jasypt@1.9.2 0Highest30
java-support-7.3.0.jarpkg:maven/net.shibboleth.utilities/java-support@7.3.0 030
javascript-hint.js 00
javascript-lint.js 00
javascript.js 00
javase-2.2.jarpkg:maven/com.google.zxing/javase@2.2 021
javassist-3.12.1.GA.jarpkg:maven/javassist/javassist@3.12.1.GA 038
javassist-3.21.0-GA.jarpkg:maven/org.javassist/javassist@3.21.0-GA 056
javax.annotation-api-1.3.jarpkg:maven/javax.annotation/javax.annotation-api@1.3 046
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 020
javax.mail-1.6.2.jarpkg:maven/com.sun.mail/javax.mail@1.6.2 042
javax.servlet-api-3.0.1.jarcpe:2.3:a:oracle:java_se:3.0.1:*:*:*:*:*:*:*pkg:maven/javax.servlet/javax.servlet-api@3.0.1 0Medium51
javax.websocket-api-1.0.jarpkg:maven/javax.websocket/javax.websocket-api@1.0 030
javax.ws.rs-api-2.1.jarpkg:maven/javax.ws.rs/javax.ws.rs-api@2.1 059
jaxb-api-2.1.jarpkg:maven/javax.xml.bind/jaxb-api@2.1 022
jaxb-impl-2.1.11.jarpkg:maven/com.sun.xml.bind/jaxb-impl@2.1.11 024
jaxb-svg11-1.0.2.jarpkg:maven/org.plutext/jaxb-svg11@1.0.2 034
jaxb-xmldsig-core-1.0.0.jarpkg:maven/org.plutext/jaxb-xmldsig-core@1.0.0 032
jaxb-xslfo-1.0.1.jarpkg:maven/org.plutext/jaxb-xslfo@1.0.1 032
jaxws-api-2.1.jarcpe:2.3:a:web_project:web:2.1:*:*:*:*:*:*:*pkg:maven/javax.xml.ws/jaxws-api@2.1 0Low24
jaxws-rt-2.1.7.jarcpe:2.3:a:oracle:web_services:2.1.7:*:*:*:*:*:*:*pkg:maven/com.sun.xml.ws/jaxws-rt@2.1.7MEDIUM1Low36
jbpm-jpdl-3.3.1.OKM.jarcpe:2.3:a:jboss:jbpm:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jbpm:3.3.1:*:*:*:*:*:*:*
pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKMHIGH1High20
jcommon-1.0.23.jarpkg:maven/org.jfree/jcommon@1.0.23 026
jcsv-1.4.0.jarcpe:2.3:a:google:gmail:1.4.0:*:*:*:*:*:*:*pkg:maven/com.googlecode.jcsv/jcsv@1.4.0 0Low26
jdom-1.0.jarcpe:2.3:a:jdom:jdom:1.0:*:*:*:*:*:*:*pkg:maven/jdom/jdom@1.0HIGH1Highest45
jdom-2.0.2.jarcpe:2.3:a:jdom:jdom:2.0.2:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom@2.0.2HIGH1Highest64
jettison-1.3.5.jarcpe:2.3:a:jettison_project:jettison:1.3.5:*:*:*:*:*:*:*pkg:maven/org.codehaus.jettison/jettison@1.3.5HIGH5Highest28
jetty-6.1.26.jarcpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/jetty@6.1.26MEDIUM2Highest34
jfreechart-1.0.19.jarcpe:2.3:a:time_project:time:1.0.19:*:*:*:*:*:*:*pkg:maven/org.jfree/jfreechart@1.0.19 0Low30
jinja2.js 00
jiu-2007.07.01.jarpkg:maven/net.sourceforge/jiu@2007.07.01 020
jlan-5.0.0.jarcpe:2.3:a:alfresco:alfresco:5.0.0:*:*:*:*:*:*:*pkg:maven/org.alfresco/jlan@5.0.0CRITICAL7Highest17
jmyspell-core-1.0.0-beta-2.jarpkg:maven/org.dts.spell/jmyspell-core@1.0.0-beta-2
pkg:maven/org.dts/jmyspell-core@1.0.0-beta-2
 025
joda-time-1.6.2.jarpkg:maven/joda-time/joda-time@1.6.2 045
jodreports-2.4.0.jarpkg:maven/net.sf.jodreports/jodreports@2.4.0 037
jqTabs.js 00
jquery-1.11.3.min.jspkg:javascript/jquery@1.11.3.minMEDIUM53
jquery-1.8.3.min.jspkg:javascript/jquery@1.8.3.minMEDIUM73
jquery-ui-1.10.3.jspkg:javascript/jquery-ui-dialog@1.10.3
pkg:javascript/jquery-ui@1.10.3
MEDIUM55
jquery-ui-i18n.jspkg:javascript/jquery-ui@1.10.3MEDIUM43
jquery.DOMWindow.js 00
jquery.dataTables-1.10.10.min.jspkg:javascript/jquery.datatables@1.10.10.minHIGH43
jquery.easy-ticker.min.js 00
jquery.mobile-1.2.1.jspkg:javascript/jquery-mobile@1.2.1HIGH23
jquery.mobile-1.2.1.min.jspkg:javascript/jquery-mobile@1.2.1.minHIGH23
jquery.tablescroll.js 00
jquery.tinymce.min.js 00
jquery.ui.datepicker-af.js 00
jquery.ui.datepicker-ar-DZ.js 00
jquery.ui.datepicker-ar.js 00
jquery.ui.datepicker-az.js 00
jquery.ui.datepicker-be.js 00
jquery.ui.datepicker-bg.js 00
jquery.ui.datepicker-bs.js 00
jquery.ui.datepicker-ca.js 00
jquery.ui.datepicker-cs.js 00
jquery.ui.datepicker-cy-GB.js 00
jquery.ui.datepicker-da.js 00
jquery.ui.datepicker-de.js 00
jquery.ui.datepicker-el.js 00
jquery.ui.datepicker-en-AU.js 00
jquery.ui.datepicker-en-GB.js 00
jquery.ui.datepicker-en-NZ.js 00
jquery.ui.datepicker-en-US.js 00
jquery.ui.datepicker-eo.js 00
jquery.ui.datepicker-es-ES.js 00
jquery.ui.datepicker-et.js 00
jquery.ui.datepicker-eu.js 00
jquery.ui.datepicker-fa.js 00
jquery.ui.datepicker-fi.js 00
jquery.ui.datepicker-fo.js 00
jquery.ui.datepicker-fr-CA.js 00
jquery.ui.datepicker-fr-CH.js 00
jquery.ui.datepicker-fr.js 00
jquery.ui.datepicker-gl.js 00
jquery.ui.datepicker-he.js 00
jquery.ui.datepicker-hi.js 00
jquery.ui.datepicker-hr.js 00
jquery.ui.datepicker-hu.js 00
jquery.ui.datepicker-hy.js 00
jquery.ui.datepicker-id.js 00
jquery.ui.datepicker-is.js 00
jquery.ui.datepicker-it.js 00
jquery.ui.datepicker-ja.js 00
jquery.ui.datepicker-ka.js 00
jquery.ui.datepicker-kk.js 00
jquery.ui.datepicker-km.js 00
jquery.ui.datepicker-ko.js 00
jquery.ui.datepicker-ky.js 00
jquery.ui.datepicker-lb.js 00
jquery.ui.datepicker-lt.js 00
jquery.ui.datepicker-lv.js 00
jquery.ui.datepicker-mk.js 00
jquery.ui.datepicker-ml.js 00
jquery.ui.datepicker-ms.js 00
jquery.ui.datepicker-nb.js 00
jquery.ui.datepicker-nl-BE.js 00
jquery.ui.datepicker-nl.js 00
jquery.ui.datepicker-nn.js 00
jquery.ui.datepicker-no.js 00
jquery.ui.datepicker-pl.js 00
jquery.ui.datepicker-pt-BR.js 00
jquery.ui.datepicker-pt.js 00
jquery.ui.datepicker-rm.js 00
jquery.ui.datepicker-ro.js 00
jquery.ui.datepicker-ru.js 00
jquery.ui.datepicker-sk.js 00
jquery.ui.datepicker-sl.js 00
jquery.ui.datepicker-sq.js 00
jquery.ui.datepicker-sr-SR.js 00
jquery.ui.datepicker-sr.js 00
jquery.ui.datepicker-sv.js 00
jquery.ui.datepicker-ta.js 00
jquery.ui.datepicker-th.js 00
jquery.ui.datepicker-tj.js 00
jquery.ui.datepicker-tr.js 00
jquery.ui.datepicker-uk.js 00
jquery.ui.datepicker-vi.js 00
jquery.ui.datepicker-zh-CN.js 00
jquery.ui.datepicker-zh-HK.js 00
jquery.ui.datepicker-zh-TW.js 00
jsinterop-annotations-1.0.2-sources.jarpkg:maven/com.google.jsinterop/jsinterop-annotations@1.0.2 07
jsinterop-annotations-1.0.2.jarpkg:maven/com.google.jsinterop/jsinterop-annotations@1.0.2 018
json-lint.js 00
jsonic-1.2.11.jarpkg:maven/net.arnx/jsonic@1.2.11 032
jsp-api-2.2.jarpkg:maven/javax.servlet.jsp/jsp-api@2.2 032
jspf.core-1.0.3.1.jarpkg:maven/com.google.code/jspf.core@1.0.3.1 014
jsr305-1.3.7.jarpkg:maven/com.google.code.findbugs/jsr305@1.3.7 016
jstl-1.2.jarpkg:maven/javax.servlet/jstl@1.2HIGH127
jta-1.1.jarpkg:maven/javax.transaction/jta@1.1 022
julia.js 00
junit-4.11.jarcpe:2.3:a:junit:junit4:4.11:*:*:*:*:*:*:*pkg:maven/junit/junit@4.11MEDIUM1Low28
jwplayer.js 00
ka_GE.js 00
kk.js 00
km_KH.js 00
ko_KR.js 00
langdetect-2011.11.28.jarpkg:maven/com.cybozu/langdetect@2011.11.28 022
lb.js 00
less_test.js 00
lint.js 00
livescript.js 00
loadmode.js 00
logback-classic-1.1.3.jarcpe:2.3:a:qos:logback:1.1.3:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-classic@1.1.3CRITICAL3Highest31
logback-core-1.1.3.jarcpe:2.3:a:qos:logback:1.1.3:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.1.3CRITICAL2Highest31
loremipsum-1.0.jarcpe:2.3:a:web_project:web:1.0:*:*:*:*:*:*:*pkg:maven/de.sven-jacobs/loremipsum@1.0 0Low28
lt.js 00
lua.js 00
lucene-analyzers-3.1.0.jarpkg:maven/org.apache.lucene/lucene-analyzers@3.1.0 021
lucene-core-3.1.0.jarpkg:maven/org.apache.lucene/lucene-core@3.1.0 022
lucene-highlighter-3.1.0.jarpkg:maven/org.apache.lucene/lucene-highlighter@3.1.0 022
lucene-memory-3.1.0.jarpkg:maven/org.apache.lucene/lucene-memory@3.1.0 025
lucene-misc-3.1.0.jarpkg:maven/org.apache.lucene/lucene-misc@3.1.0 023
lucene-queries-3.1.0.jarpkg:maven/org.apache.lucene/lucene-queries@3.1.0 022
lucene-smartcn-3.1.0.jarpkg:maven/org.apache.lucene/lucene-smartcn@3.1.0 021
lucene-spatial-3.1.0.jarpkg:maven/org.apache.lucene/lucene-spatial@3.1.0 023
lucene-spellchecker-3.1.0.jarpkg:maven/org.apache.lucene/lucene-spellchecker@3.1.0 024
lucene-stempel-3.1.0.jarpkg:maven/org.apache.lucene/lucene-stempel@3.1.0 023
lv.js 00
mark-selection.js 00
markdown-fold.js 00
markdown.js 00
match-highlighter.js 00
matchbrackets.js 00
matchtags.js 00
mbassador-1.1.10.jarpkg:maven/net.engio/mbassador@1.1.10 029
merge.js 00
meta.js 00
metadata-extractor-2.4.0-beta-1.jarcpe:2.3:a:metadata-extractor_project:metadata-extractor:2.4.0.eta-1:*:*:*:*:*:*:*pkg:maven/com.drewnoakes/metadata-extractor@2.4.0-beta-1MEDIUM2Highest19
metrics-core-3.1.2.jarpkg:maven/io.dropwizard.metrics/metrics-core@3.1.2 022
milton-api-1.8.1.4.jarcpe:2.3:a:milton:webdav:1.8.1.4:*:*:*:*:*:*:*pkg:maven/com.ettrema/milton-api@1.8.1.4CRITICAL1Low20
milton-servlet-1.8.1.4.jarcpe:2.3:a:milton:webdav:1.8.1.4:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:1.8.1.4:*:*:*:*:*:*:*
pkg:maven/com.ettrema/milton-servlet@1.8.1.4CRITICAL1Low16
mime-util-2.1.3.jarpkg:maven/eu.medsea.mimeutil/mime-util@2.1.3 053
mimepull-1.9.4.jarpkg:maven/org.jvnet.mimepull/mimepull@1.9.4 048
mirc.js 00
ml.js 00
ml_IN.js 00
mllike.js 00
mn_MN.js 00
mockito-core-1.9.5.jarpkg:maven/org.mockito/mockito-core@1.9.5 028
msgparser-1.12.jarpkg:maven/com.auxilii/msgparser@1.12 016
multiplex.js 00
multiplex_test.js 00
nb_NO.js 00
neethi-3.1.1.jarpkg:maven/org.apache.neethi/neethi@3.1.1 086
nekohtml-1.9.14.jarcpe:2.3:a:nekohtml_project:nekohtml:1.9.14:*:*:*:*:*:*:*pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.14HIGH2Highest20
nginx.js 00
nl.js 00
npm.js 00
ntriples.js 00
objenesis-1.0.jarpkg:maven/org.objenesis/objenesis@1.0 020
octave.js 00
odfdom-java-0.8.6.jarpkg:maven/org.odftoolkit/odfdom-java@0.8.6 054
odfutils-051129.jarpkg:maven/com.catcode/odfutils@051129 014
okm_mail_tinymce4.js 00
okm_tinymce.js 00
okm_tinymce4.js 00
olap4j-0.9.7.309-JS-3.jarpkg:maven/org.olap4j/olap4j@0.9.7.309-JS-3 011
omr-tool-2007.07.01.jarpkg:maven/ca.uwaterloo.a3seth/omr-tool@2007.07.01 011
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-collections:2.3)pkg:maven/info.aduna.commons/aduna-commons-collections@2.3 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-concurrent:2.2)pkg:maven/info.aduna.commons/aduna-commons-concurrent@2.2 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-i18n:1.0)pkg:maven/info.aduna.commons/aduna-commons-i18n@1.0 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-io:2.4)pkg:maven/info.aduna.commons/aduna-commons-io@2.4 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-iteration:2.3)pkg:maven/info.aduna.commons/aduna-commons-iteration@2.3 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-lang:2.3)pkg:maven/info.aduna.commons/aduna-commons-lang@2.3 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-net:2.2)pkg:maven/info.aduna.commons/aduna-commons-net@2.2 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-platform-info:2.4)pkg:maven/info.aduna.commons/aduna-commons-platform-info@2.4 011
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-text:2.2)pkg:maven/info.aduna.commons/aduna-commons-text@2.2 012
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-webapp-core:2.4)pkg:maven/info.aduna.commons/aduna-commons-webapp-core@2.4 09
onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-xml:2.2)pkg:maven/info.aduna.commons/aduna-commons-xml@2.2 012
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-console:2.2.4)pkg:maven/org.openrdf.sesame/sesame-console@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-http-client:2.2.4)pkg:maven/org.openrdf.sesame/sesame-http-client@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-http-protocol:2.2.4)pkg:maven/org.openrdf.sesame/sesame-http-protocol@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-http-server-spring:2.2.4)pkg:maven/org.openrdf.sesame/sesame-http-server-spring@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-model:2.2.4)pkg:maven/org.openrdf.sesame/sesame-model@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-query:2.2.4)pkg:maven/org.openrdf.sesame/sesame-query@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryalgebra-evaluation:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryalgebra-evaluation@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryalgebra-model:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryalgebra-model@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryparser-api:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryparser-api@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryparser-serql:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryparser-serql@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryparser-sparql:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryparser-sparql@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-api:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryresultio-api@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-binary:2.2.4)cpe:2.3:a:binary_project:binary:2.2.4:*:*:*:*:*:*:*pkg:maven/org.openrdf.sesame/sesame-queryresultio-binary@2.2.4 0High9
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-sparqljson:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryresultio-sparqljson@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-sparqlxml:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryresultio-sparqlxml@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-text:2.2.4)pkg:maven/org.openrdf.sesame/sesame-queryresultio-text@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-api:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-api@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-contextaware:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-contextaware@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-dataset:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-dataset@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-event:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-event@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-http:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-http@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-manager:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-manager@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-sail:2.2.4)pkg:maven/org.openrdf.sesame/sesame-repository-sail@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-api:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-api@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-n3:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-n3@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-ntriples:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-ntriples@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-rdfxml:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-rdfxml@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-trig:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-trig@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-trix:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-trix@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-turtle:2.2.4)pkg:maven/org.openrdf.sesame/sesame-rio-turtle@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-runtime:2.2.4)pkg:maven/org.openrdf.sesame/sesame-runtime@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-api:2.2.4)pkg:maven/org.openrdf.sesame/sesame-sail-api@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-inferencer:2.2.4)pkg:maven/org.openrdf.sesame/sesame-sail-inferencer@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-memory:2.2.4)pkg:maven/org.openrdf.sesame/sesame-sail-memory@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-nativerdf:2.2.4)pkg:maven/org.openrdf.sesame/sesame-sail-nativerdf@2.2.4 09
onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-rdbms:2.2.4)pkg:maven/org.openrdf.sesame/sesame-sail-rdbms@2.2.4 09
onejar-2.2.4.jarpkg:maven/org.openrdf.sesame/onejar@2.2.4 014
opensaml-2.5.1-1.jarcpe:2.3:a:shibboleth:opensaml:2.5.1.1:*:*:*:*:*:*:*pkg:maven/org.opensaml/opensaml@2.5.1-1HIGH3Highest77
opensaml-core-3.3.0.jarcpe:2.3:a:shibboleth:opensaml:3.3.0:*:*:*:*:*:*:*pkg:maven/org.opensaml/opensaml-core@3.3.0 0Highest22
openws-1.4.2-1.jarpkg:maven/org.opensaml/openws@1.4.2-1 074
overlay.js 00
package.json 00
pascal.js 00
pdf.js 00
pdf.js 00
pdf.sandbox.js 00
pdf.worker.js 00
pdf.worker.js 00
pdfbox-2.0.13.jarcpe:2.3:a:apache:pdfbox:2.0.13:*:*:*:*:*:*:*pkg:maven/org.apache.pdfbox/pdfbox@2.0.13MEDIUM4Highest29
pegjs.js 00
perl.js 00
php.js 00
pig.js 00
pl.js 00
placeholder.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
plugin.min.js 00
poi-3.12.jarcpe:2.3:a:apache:poi:3.12:*:*:*:*:*:*:*pkg:maven/org.apache.poi/poi@3.12HIGH5Highest29
properties.js 00
pt_BR.js 00
pt_PT.js 00
puppet.js 00
python-hint.js 00
python.js 00
q.js 00
r.js 00
reflections-0.9.11.jarpkg:maven/org.reflections/reflections@0.9.11 021
resolver-20050927.jarpkg:maven/com.sun.org.apache.xml.internal/resolver@20050927 025
ro.js 00
rome-1.0.jarcpe:2.3:a:oracle:system_utilities:1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:1.0:*:*:*:*:*:*:*
pkg:maven/rome/rome@1.0 0Low44
rpm.js 00
rst.js 00
ru.js 00
ruby.js 00
rulers.js 00
runmode-standalone.js 00
runmode.js 00
runmode.node.js 00
rust.js 00
saaj-api-1.3.jarpkg:maven/javax.xml.soap/saaj-api@1.3 021
saaj-impl-1.3.3.jarpkg:maven/com.sun.xml.messaging.saaj/saaj-impl@1.3.3 025
sac-1.3.jarcpe:2.3:a:wide_project:wide:1.3:*:*:*:*:*:*:*pkg:maven/org.w3c.css/sac@1.3 0Low28
sass.js 00
scheme.js 00
scrollpastend.js 00
scss_test.js 00
search.js 00
searchcursor.js 00
serializer-2.7.1.jarcpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:*pkg:maven/xalan/serializer@2.7.1HIGH2Highest32
servlet-api-2.5-20081211.jarcpe:2.3:a:jetty:jetty:2.5:20081211:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:2.5:20081211:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:2.5:20081211:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/servlet-api@2.5-20081211MEDIUM6Highest26
servlet-api-6.0.36.jarcpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:6.0.36:*:*:*:*:*:*:*
pkg:maven/org.apache.tomcat/servlet-api@6.0.36CRITICAL*29Highest18
shAutoloader.js 00
shBrushAS3.js 00
shBrushAppleScript.js 00
shBrushBash.js 00
shBrushCSharp.js 00
shBrushColdFusion.js 00
shBrushCpp.js 00
shBrushCss.js 00
shBrushDelphi.js 00
shBrushDiff.js 00
shBrushErlang.js 00
shBrushGroovy.js 00
shBrushJScript.js 00
shBrushJava.js 00
shBrushJavaFX.js 00
shBrushPerl.js 00
shBrushPhp.js 00
shBrushPlain.js 00
shBrushPowerShell.js 00
shBrushPython.js 00
shBrushRuby.js 00
shBrushSass.js 00
shBrushScala.js 00
shBrushSql.js 00
shBrushVb.js 00
shBrushXml.js 00
shCore.js 00
shLegacy.js 00
shell.js 00
show-hint.js 00
si_LK.js 00
sieve.js 00
sigar-1.6.5.132-6.jarpkg:maven/org.hyperic/sigar@1.6.5.132-6 023
sk.js 00
sl_SI.js 00
slf4j-api-1.7.7.jarpkg:maven/org.slf4j/slf4j-api@1.7.7 025
smalltalk.js 00
smarty.js 00
smartymixed.js 00
snakeyaml-1.17.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.17:*:*:*:*:*:*:*pkg:maven/org.yaml/snakeyaml@1.17CRITICAL8Highest44
solr-commons-csv-3.1.0.jar (shaded: org.apache.commons:commons-csv:1.0-SNAPSHOT)pkg:maven/org.apache.commons/commons-csv@1.0-SNAPSHOT 032
solr-core-3.1.0.jarcpe:2.3:a:apache:solr:3.1.0:*:*:*:*:*:*:*pkg:maven/org.apache.solr/solr-core@3.1.0CRITICAL*19Highest26
solr.js 00
sparql.js 00
spring-core-3.2.18.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.18:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@3.2.18.RELEASECRITICAL*11Highest32
spring-expression-3.2.18.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.18:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-expression@3.2.18.RELEASECRITICAL*12Highest34
spring-ldap-core-1.3.2.RELEASE.jarcpe:2.3:a:pivotal_software:spring-ldap:1.3.2:release:*:*:*:*:*:*pkg:maven/org.springframework.ldap/spring-ldap-core@1.3.2.RELEASEHIGH1Highest53
spring-oxm-3.2.4.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.4:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.4:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.4:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-oxm@3.2.4.RELEASECRITICAL*20Highest32
spring-security-acl-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-acl@3.2.10.RELEASECRITICAL4Highest34
spring-security-config-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-config@3.2.10.RELEASECRITICAL6Highest37
spring-security-core-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASECRITICAL7Highest34
spring-security-ldap-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring-ldap:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-ldap@3.2.10.RELEASECRITICAL4Highest36
spring-security-web-3.2.10.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.10:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:3.2.10:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-web@3.2.10.RELEASECRITICAL7Highest36
spring-web-3.2.18.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:3.2.18:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-web@3.2.18.RELEASECRITICAL*14Highest32
spring-webmvc-3.2.18.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.18:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:3.2.18:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-webmvc@3.2.18.RELEASECRITICAL*13Highest34
spring-ws-core-2.1.4.RELEASE.jarcpe:2.3:a:pivotal_software:spring_web_services:2.1.4:release:*:*:*:*:*:*pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASECRITICAL1Low27
sql-hint.js 00
sql.js 00
sr.js 00
stax-1.2.0.jarpkg:maven/stax/stax@1.2.0 029
stax-api-1.0-2.jarpkg:maven/javax.xml.stream/stax-api@1.0-2 021
stax-api-1.0.1.jarpkg:maven/stax/stax-api@1.0.1 030
stax-ex-1.2.jarpkg:maven/org.jvnet.staxex/stax-ex@1.2 020
stax2-api-4.1.jarpkg:maven/org.codehaus.woodstox/stax2-api@4.1 051
stex.js 00
streambuffer-0.9.jarpkg:maven/com.sun.xml.stream.buffer/streambuffer@0.9 025
stringtemplate-3.2.1.jarcpe:2.3:a:temporal:temporal:3.2.1:*:*:*:*:*:*:*pkg:maven/org.antlr/stringtemplate@3.2.1 0Low38
sv_SE.js 00
swagger-annotations-1.5.17.jarpkg:maven/io.swagger/swagger-annotations@1.5.17 029
swagger-core-1.5.17.jarpkg:maven/io.swagger/swagger-core@1.5.17 028
swagger-jaxrs-1.5.17.jarpkg:maven/io.swagger/swagger-jaxrs@1.5.17 028
swagger-models-1.5.17.jarpkg:maven/io.swagger/swagger-models@1.5.17 028
swagger-ui-3.17.6.jarpkg:maven/org.webjars/swagger-ui@3.17.6CRITICAL223
swagger-ui-3.17.6.jar: swagger-ui-bundle.js 00
swagger-ui-3.17.6.jar: swagger-ui-standalone-preset.js 00
swagger-ui-3.17.6.jar: swagger-ui.js 00
swfobject.js 00
ta.js 00
ta_IN.js 00
tcl.js 00
tern.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
test.js 00
tg.js 00
th_TH.js 00
theme.min.js 00
tiddlywiki.js 00
tiki.js 00
tinymce.min.js 00
toml.js 00
tr_TR.js 00
trailingspace.js 00
tt.js 00
turtle.js 00
twitter4j-2.0.10.jarpkg:maven/net.homeip.yusuke/twitter4j@2.0.10 021
ug.js 00
uk.js 00
uk_UA.js 00
utils.js 00
validation-api-1.0.0.GA-sources.jarpkg:maven/javax.validation/validation-api@1.0.0.GA 07
validation-api-1.0.0.GA.jarpkg:maven/javax.validation/validation-api@1.0.0.GA 031
vanadium-min.js 00
vb.js 00
vbscript.js 00
velocity.js 00
verilog.js 00
vi.js 00
vi_VN.js 00
viewer.js 00
wmf2svg-0.9.0.jarcpe:2.3:a:google:gmail:0.9.0:*:*:*:*:*:*:*pkg:maven/net.arnx/wmf2svg@0.9.0 0Low31
woodstox-core-5.1.0.jarcpe:2.3:a:fasterxml:woodstox:5.1.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.woodstox/woodstox-core@5.1.0HIGH1Highest50
woodstox-core-asl-4.2.0.jarcpe:2.3:a:fasterxml:woodstox:4.2.0:*:*:*:*:*:*:*pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.2.0HIGH1Low37
worker.js 00
wsdl4j-1.6.1.jarpkg:maven/wsdl4j/wsdl4j@1.6.1 020
wss4j-1.6.4.jarcpe:2.3:a:apache:wss4j:1.6.4:*:*:*:*:*:*:*pkg:maven/org.apache.ws.security/wss4j@1.6.4HIGH4Highest37
wss4j-policy-2.2.2.jarcpe:2.3:a:apache:wss4j:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.wss4j/wss4j-policy@2.2.2 0Highest35
xalan-2.7.1.jarcpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:*pkg:maven/xalan/xalan@2.7.1HIGH2Highest66
xercesImpl-2.9.1.jarcpe:2.3:a:apache:xerces-j:2.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:xerces2_java:2.9.1:*:*:*:*:*:*:*
pkg:maven/xerces/xercesImpl@2.9.1HIGH6Highest69
xml-apis-1.3.04.jarpkg:maven/xml-apis/xml-apis@1.3.04 071
xml-fold.js 00
xml-hint.js 00
xml-resolver-1.2.jarpkg:maven/xml-resolver/xml-resolver@1.2 030
xml.js 00
xmlbeans-2.6.0.jarcpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0CRITICAL1Highest49
xmlgraphics-commons-1.5.jarcpe:2.3:a:apache:xmlgraphics_commons:1.5:*:*:*:*:*:*:*pkg:maven/org.apache.xmlgraphics/xmlgraphics-commons@1.5HIGH1Highest29
xmlschema-core-2.2.3.jarpkg:maven/org.apache.ws.xmlschema/xmlschema-core@2.2.3 030
xmlsec-1.4.6.jarpkg:maven/org.apache.santuario/xmlsec@1.4.6MEDIUM428
xmltooling-1.3.2-1.jarcpe:2.3:a:xmltooling_project:xmltooling:1.3.2.1:*:*:*:*:*:*:*pkg:maven/org.opensaml/xmltooling@1.3.2-1MEDIUM2Highest68
xom-1.2.5.jarpkg:maven/xom/xom@1.2.5 056
xquery.js 00
yaml-lint.js 00
yaml.js 00
z80.js 00
zh_CN.js 00
zh_TW.js 00
zip4j-1.3.2.jarcpe:2.3:a:zip4j_project:zip4j:1.3.2:*:*:*:*:*:*:*pkg:maven/net.lingala.zip4j/zip4j@1.3.2MEDIUM3Highest33

* indicates the dependency has a known exploited vulnerability

Dependencies (vulnerable)

AlertExpirationNotification.jar

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/resources/extensions/expiration/AlertExpirationNotification.jar
MD5: 9522a7f528e8f82679b118b5cd2a6930
SHA1: 6738728b85e6a0cd7b212ad3775867bc5fefd344
SHA256:8a28e4a3674934602850ba16679093c0e1c27f54e0815a401c6da55fefb01185
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ExpirationNotification.jar

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/resources/extensions/expiration/ExpirationNotification.jar
MD5: d8ffdcc2de80cba44c6116a3cb4e2afd
SHA1: ec3e70c5d69347aad9d052eec0e35cbf6aff465a
SHA256:122e5a76f0174b2874a1b49fe9e3e46b579debd5764b36e8edfc6379dd527e40
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

InitialNotification.jar

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/resources/extensions/expiration/InitialNotification.jar
MD5: 6bf4a2d1540615a7d693b9a22b28e36a
SHA1: 25ef3d085364657e9fefb4844866d9347d13dbd6
SHA256:77b4681d98f58ceea2f206221098048b43bf83a5d34a41dcc57a333217b8ca92
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

activation-1.1.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
  

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/vaclav/.m2/repository/javax/activation/activation/1.1/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Referenced In Project/Scope: OpenKM Web Application:compile
activation-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.sun.mail/javax.mail@1.6.2

Identifiers

active-line.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/selection/active-line.js
MD5: 9a393ed5437f0f43e129c675084c5309
SHA1: 323e8d3ca1625cf3c2a631f3d94a62f369ebc4ce
SHA256:ede02e85aec5e32571e5714140cc0f54840833298a622af326d3d1f30ef164b1
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ant-1.7.0.jar

Description:

Apache Ant

File Path: /home/vaclav/.m2/repository/org/apache/ant/ant/1.7.0/ant-1.7.0.jar
MD5: 133e8979e9c11450f557ca890177fe0a
SHA1: 9746af1a485e50cf18dcb232489032a847067066
SHA256:92f72307e7440f1e352c916f2438d2bbab3ffd2cf730c71316117ad04abadea8
Referenced In Project/Scope: OpenKM Web Application:compile
ant-1.7.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKM

Identifiers

CVE-2020-1945  

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (3.3)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:1.0/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36374 (OSSINDEX)  

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CWE-130 Improper Handling of Length Parameter Inconsistency

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.ant:ant:1.7.0:*:*:*:*:*:*:*

CVE-2012-2098 (OSSINDEX)  

Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.ant:ant:1.7.0:*:*:*:*:*:*:*

ant-launcher-1.7.0.jar

File Path: /home/vaclav/.m2/repository/org/apache/ant/ant-launcher/1.7.0/ant-launcher-1.7.0.jar
MD5: e0c8b3f9390a5d784bbdb6a21f2abd1d
SHA1: e7e30789211e074aa70ef3eaea59bd5b22a7fa7a
SHA256:72b3d03e0d7d86a56513ec38dd4cd6abe3da6620189be222ab255352cb6eba4a
Referenced In Project/Scope: OpenKM Web Application:compile
ant-launcher-1.7.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKM

Identifiers

CVE-2020-1945  

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: LOW (3.3)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:1.0/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

antlr-2.7.6.jar

File Path: /home/vaclav/.m2/repository/antlr/antlr/2.7.6/antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
SHA256:df74f330d36526ff9e717731fd855152fcff51618f0b5785d0049022f89d568b
Referenced In Project/Scope: OpenKM Web Application:compile
antlr-2.7.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@3.6.10.Final

Identifiers

antlr-runtime-3.5.jar

Description:

A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /home/vaclav/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar
MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc
SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
SHA256:7ef52a4e25ea2472a0ae62ae1d5ccaa7ef23be188289ad225fcb8a452a1b738d
Referenced In Project/Scope: OpenKM Web Application:compile
antlr-runtime-3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0

Identifiers

anyword-hint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/anyword-hint.js
MD5: 26c98398f27a02685ce046fa1b990bca
SHA1: 077a75e4f83aee91315b97a73b53b595f2dfde25
SHA256:22b92f64b78dc8993294f78dd4a322940479e2fe80dea5a3391bd9b00957fd6f
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

aopalliance-1.0.jar

Description:

AOP Alliance

License:

Public Domain
File Path: /home/vaclav/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope: OpenKM Web Application:compile
aopalliance-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASE

Identifiers

apl.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/apl/apl.js
MD5: 129d6e9dea877596d1dbb1c82b136427
SHA1: 51a70fa97bb80b466c1f96bb201d91902da79726
SHA256:f296e1571bbb63d5f9894f3ba571ac3f720a044548e71a9bdbad7b4d467b8f9c
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ar.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ar.js
MD5: 1b752db44cf0ed72b42bd7130b8ce3b6
SHA1: 048e62fb66cd6d670d2735efccc8249844ed2403
SHA256:871aae945431175867eb63a32d6216c7e2fe4c03c9ccf710e07be9633daa6a07
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ar_SA.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ar_SA.js
MD5: f717cfffe583043173e901052cd69ee8
SHA1: 4671994f69f3211a4531c83b444e681168ca4e67
SHA256:055331f23a2f00e77298adf0661bb363273c77b2a364325e0f2d7f56777c1a36
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

asm-5.2.jar

File Path: /home/vaclav/.m2/repository/org/ow2/asm/asm/5.2/asm-5.2.jar
MD5: 8bb8efe7c0f8488c4a2d6297066632aa
SHA1: 4ce3ecdc7115bcbf9d4ff4e6ec638e60760819df
SHA256:3e5ea0d7da2c5155ef4f470d9092d42de34e3f53db6589c7c07d6721adf4ba3e
Referenced In Project/Scope: OpenKM Web Application:compile
asm-5.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

Identifiers

asterisk.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/asterisk/asterisk.js
MD5: 1e14674107ecabbd26abd23942acfa90
SHA1: 940a9ccbc95b1bd330c9101740f9f87cad99e7aa
SHA256:c682df8f95e0804d52ba1b336d90ac0734d03f4d1732b2877923765ac6f12ebd
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

audioformats-0.15.jar

File Path: /home/vaclav/.m2/repository/entagged/audioformats/audioformats/0.15/audioformats-0.15.jar
MD5: 0420ac9357daa590e4aabc17502ef7df
SHA1: fbfa768177ac683e71a229014989e0485abebb20
SHA256:0ca062ec1f089700735fa3a198858e700a604a6fd241f02ddb1223473cfb897b
Referenced In Project/Scope: OpenKM Web Application:compile
audioformats-0.15.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

avalon-framework-api-4.3.1.jar

Description:

Avalon Framework API

File Path: /home/vaclav/.m2/repository/org/apache/avalon/framework/avalon-framework-api/4.3.1/avalon-framework-api-4.3.1.jar
MD5: 7c543869a7eb2bad323a54e873973acf
SHA1: 2dacadeb49bc14420990b1f28897d46f96e2181d
SHA256:bca4c94b5e53acee3c97fe11cce0749d682d5591bf4a217cd45273adeb08c60f
Referenced In Project/Scope: OpenKM Web Application:compile
avalon-framework-api-4.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

avalon-framework-impl-4.3.1.jar

Description:

Avalon Framework Implementation

File Path: /home/vaclav/.m2/repository/org/apache/avalon/framework/avalon-framework-impl/4.3.1/avalon-framework-impl-4.3.1.jar
MD5: 004ac42a2cda8c444451ef187b24284f
SHA1: 2d5f5a07fd14513ce6d7a7bfaff69419c26dbd0b
SHA256:1a429bd5ba87c55b9c84648d0404eb6499b7c05a2c9f21b1bb9621fbf117589f
Referenced In Project/Scope: OpenKM Web Application:compile
avalon-framework-impl-4.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

aws-java-sdk-1.3.0.jar

Description:

The Amazon Web Services SDK for Java provides Java APIs for building software on AWS’ cost-effective, scalable, and reliable infrastructure products. The AWS Java SDK allows developers to code against APIs for all of Amazon's infrastructure web services (Amazon S3, Amazon EC2, Amazon SQS, Amazon Relational Database Service, Amazon AutoScaling, etc).

License:

Apache License, Version 2.0: http://aws.amazon.com/apache2.0
File Path: /home/vaclav/.m2/repository/com/amazonaws/aws-java-sdk/1.3.0/aws-java-sdk-1.3.0.jar
MD5: af8f4f9fd255977cbcf19eae3d7e54a0
SHA1: 6b95d606e88baeda06ce174d725537446dd471b1
SHA256:9f4fb973174d104488385fe7353664ba4bafc9a1b76e298e3f05671b741332a5
Referenced In Project/Scope: OpenKM Web Application:compile
aws-java-sdk-1.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2022-31159  

The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue���s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory`/tmp/foo`, the actor can cause a download to `/tmp/foo-bar`, but not `/tmp/bar`. If `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory` is used to download an untrusted buckets contents, the contents of that bucket can be written outside of the intended destination directory. Version 1.12.261 contains a patch for this issue. As a workaround, when calling `com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory`, pass a `KeyFilter` that forbids `S3ObjectSummary` objects that `getKey` method return a string containing the substring `..` .
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

az.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/az.js
MD5: 38ff4633713fa35312bc669ba56afd0f
SHA1: 8175c1249938fa44650c954c38ce54bb758b2332
SHA256:e08fc67c84d3aaa2cb1910c8ebd2c9cac2db109ddd94bac15aaeb8ccc9a26281
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

batik-bridge-1.7.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/batik-bridge/1.7/batik-bridge-1.7.jar
MD5: 9693f85b4f65f53190984eaae07c1d15
SHA1: 8e0cde3830e0f17704cd392b0a09b13944987a51
SHA256:e7c5a7d772c4f2eef5d34842019440a7ec3f4b00375a9a8350af4804823c832d
Referenced In Project/Scope: OpenKM Web Application:compile
batik-bridge-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

CVE-2018-8013  

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11987  

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CWE-20 Improper Input Validation, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (8.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17566  

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-40146 (OSSINDEX)  

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.xmlgraphics:batik-bridge:1.7:*:*:*:*:*:*:*

CVE-2022-41704  

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2022-42890  

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2017-5662  

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: HIGH (7.9)
  • Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H/E:2.1/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2022-44729  

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.1)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2015-0250  

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2022-38398 (OSSINDEX)  

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: MEDIUM (5.300000190734863)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.xmlgraphics:batik-bridge:1.7:*:*:*:*:*:*:*

CVE-2022-38648 (OSSINDEX)  

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: MEDIUM (5.300000190734863)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.xmlgraphics:batik-bridge:1.7:*:*:*:*:*:*:*

CVE-2022-44730  

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: MEDIUM (4.4)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

batik-js-1.7.jar

Description:

    This is a patched version of Rhino 1.6R5 for use by Batik.  See
    http://svn.apache.org/repos/asf/xmlgraphics/batik/trunk/lib/README.js.txt
    for details of the patch.
  

License:

Mozilla Public License version 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/batik-js/1.7/batik-js-1.7.jar
MD5: 0eab2c31be0102c0828d0f60c4f14494
SHA1: 688eb1bf13b7a54491fcb3405068fc5092589884
SHA256:f7d917d038b136702461e3dbd5f83dd9946b664398d88f090284447b8e00fbba
Referenced In Project/Scope: OpenKM Web Application:compile
batik-js-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

CVE-2018-8013  

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11987  

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CWE-20 Improper Input Validation, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (8.2)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17566  

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-41704  

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2022-42890  

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2017-5662  

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: HIGH (7.9)
  • Vector: /AV:N/AC:M/Au:S/C:C/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H/E:2.1/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2022-44729  

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.1)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2015-0250  

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2022-44730  

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: MEDIUM (4.4)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

bcprov-jdk15on-1.52.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/vaclav/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar
MD5: 873ac611cb0d7160c0a3d30eee964454
SHA1: 88a941faf9819d371e3174b5ed56a3f3f7d73269
SHA256:0dc4d181e4d347893c2ddbd2e6cd5d7287fc651c03648fa64b2341c7366b1773
Referenced In Project/Scope: OpenKM Web Application:compile
bcprov-jdk15on-1.52.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

Identifiers

  • pkg:maven/org.bouncycastle/bcprov-jdk15on@1.52  (Confidence:High)
  • cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.52:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.52:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.52:*:*:*:*:*:*:*  (Confidence:Highest)  
  • cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.52:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.52:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2016-1000338  

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000340  

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
CWE-19 Data Processing Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000342  

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000343  

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000344  

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000352  

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000341  

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
CWE-361 7PK - Time and State

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000345  

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
CWE-361 7PK - Time and State

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2017-13098  

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
CWE-203 Observable Discrepancy

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2020-15522  

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-0187 (OSSINDEX)  

In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
CWE-310 Cryptographic Issues

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.52:*:*:*:*:*:*:*

CVE-2023-33202  

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
CWE-400 Uncontrolled Resource Consumption

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2020-26939 (OSSINDEX)  

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
CWE-203 Observable Discrepancy

CVSSv3:
  • Base Score: MEDIUM (5.300000190734863)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.52:*:*:*:*:*:*:*

CVE-2023-33201 (OSSINDEX)  

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
CWE-295 Improper Certificate Validation

CVSSv3:
  • Base Score: MEDIUM (5.300000190734863)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.52:*:*:*:*:*:*:*

CVE-2016-1000339  

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2016-1000346  

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
CWE-320 Key Management Errors

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2015-6644 (OSSINDEX)  

Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv3:
  • Base Score: LOW (3.299999952316284)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.52:*:*:*:*:*:*:*

be.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/be.js
MD5: 8f671c8af95f60e8e59b58d352cdf8bd
SHA1: 5f8113d40fbe58ee0c90f49911b2aa3766979676
SHA256:bc225a2b0054fd43295abc8267f178db2f48c7f4c410b261f92a669431b91fa1
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

beanshell2-2.1.8.jar

File Path: /home/vaclav/.m2/repository/com/google/code/beanshell2/2.1.8/beanshell2-2.1.8.jar
MD5: 86da39aefd9ab3da7167f141083009ea
SHA1: d1a739ea4ad2222a6b06193fb087855982694831
SHA256:ef196035f6252a0237438ee8039e26d88f616b6b9a5995b17767368484c87ef1
Referenced In Project/Scope: OpenKM Web Application:compile
beanshell2-2.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

bg_BG.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/bg_BG.js
MD5: ccc3f664df6aadc42ab9a6de4312a963
SHA1: fc57e1d4d0428e3f367b586be53b3f300e5935c5
SHA256:6aa93e7d513341782f63fb63b53f60ed313ab0e87fafe8b0ba633f1054a4a152
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

biblioteca.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/biblioteca.js
MD5: 3641b0c67d8c9a378158ebc422ae8957
SHA1: eb38757f5e8d76ef169eb04c8549567f311d5005
SHA256:07b753095a5fbdfee04696017956d35379250d5ae7fffb4f70680feac3d58747
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

bn_BD.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/bn_BD.js
MD5: 5af91a2a2581d46c2b3f59890bfb0732
SHA1: 9a446656611f8a565a3e5107c4f8175256c58863
SHA256:0b9f5c6afb0341f4eb3e2ec640833b16ea34d69a9bd02c58f21522e5345efea0
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

bootstrap.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/bootstrap/bootstrap.js
MD5: ed69cf59ee487638489ff8742a469e43
SHA1: 8cf4186ce86777b4b408ce308ca9f66dd421f509
SHA256:defc39740ac1859d8e2785ed473208409627e87addd5f78f2deaacb93a12d51d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

CVE-2016-10735  

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*

CVE-2018-14041  

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2018-14042  

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2018-20676  

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0

CVE-2018-20677  

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0

CVE-2019-8331  

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.1
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.3.0; versions up to (excluding) 4.3.1
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.0

Bootstrap before 4.0.0 is end-of-life and no longer maintained. (RETIREJS)  

Bootstrap before 4.0.0 is end-of-life and no longer maintained.
Unscored:
  • Severity: low

References:

bootstrap.min.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/bootstrap/bootstrap.min.js
MD5: c5b5b2fa19bd66ff23211d9f844e0131
SHA1: 791aa054a026bddc0de92bad6cf7a1c6e73713d5
SHA256:2979f9a6e32fc42c3e7406339ee9fe76b31d1b52059776a02b4a7fa6a4fd280a
Referenced In Project/Scope: OpenKM Web Application

Identifiers

CVE-2016-10735  

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*

CVE-2018-14041  

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2018-14042  

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*

CVE-2018-20676  

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0

CVE-2018-20677  

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0

CVE-2019-8331  

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 12.1.0; versions up to (excluding) 12.1.5.1
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 13.0.0; versions up to (excluding) 13.1.3.4
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 14.0.0; versions up to (excluding) 14.1.2.5
  • cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* versions from (including) 15.0.0; versions up to (excluding) 15.1.0
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.1
  • cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.3.0; versions up to (excluding) 4.3.1
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.0

Bootstrap before 4.0.0 is end-of-life and no longer maintained. (RETIREJS)  

Bootstrap before 4.0.0 is end-of-life and no longer maintained.
Unscored:
  • Severity: low

References:

brace-fold.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/brace-fold.js
MD5: 7fd555e31badb4918a7ec8b9080b600e
SHA1: b2cd581c253922a62c9d1d9d869f9f264f6f6e87
SHA256:2adb5bfa473eabf9f9ccc256f997e0bbe35228092092a675b2129be2709e51c5
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

bs.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/bs.js
MD5: 8307dfcd2a83bbc9e2f06a6ab61ce3f5
SHA1: f132a4980513e0d4f66993f4e83a3712525ba1a0
SHA256:c9c7b398ebf9498225e3f71214681f429b2b85e8b63f11048f7dfd8608d95011
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ca.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ca.js
MD5: 5e02f06a8257b22c1b271330d76d4deb
SHA1: 870bb5c8fdc78327d3bd63112a5a59192dc58229
SHA256:8a4e405fcfa705a9cc91d9e0e7cae17c5dccffd5f368b1edabd96e67ca94bd5b
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

cas-client-core-3.3.3.jar

File Path: /home/vaclav/.m2/repository/org/jasig/cas/client/cas-client-core/3.3.3/cas-client-core-3.3.3.jar
MD5: c729171d461fa90455e5f94423fd55b8
SHA1: 4075c60835d9159ff6dee809037caa7d29019af1
SHA256:ed66678bcc81b5407e6379b5a01545991e85dd3950e361a9ed2163679f700c08
Referenced In Project/Scope: OpenKM Web Application:compile
cas-client-core-3.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-cas@3.2.10.RELEASE

Identifiers

castor-core-1.3.3.jar

Description:

        Core functionality - Required by all other modules
    

File Path: /home/vaclav/.m2/repository/org/codehaus/castor/castor-core/1.3.3/castor-core-1.3.3.jar
MD5: 626dd793f4b5136e17fcb50eef053cb7
SHA1: 2fbb4a27b840e116526a1189dbe53307551ecfb4
SHA256:4b69771c9932f559a7e6f2b6218f442dd7ae086f68575b45f403c5e2c18ce8ce
Referenced In Project/Scope: OpenKM Web Application:compile
castor-core-1.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

Identifiers

catch-exception-1.2.0.jar

Description:

Catch and verify exceptions

File Path: /home/vaclav/.m2/repository/com/googlecode/catch-exception/catch-exception/1.2.0/catch-exception-1.2.0.jar
MD5: f882618633b535145430dd81560c0087
SHA1: f2d1a395d91b4c024b9cc6a0946cfb10199df0a0
SHA256:083f55e5b92c72e779a33e0d9b830d5faddddf93f6a574cdec4229b92ea24915
Referenced In Project/Scope: OpenKM Web Application:compile
catch-exception-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

chemistry-opencmis-commons-api-0.12.0.jar

Description:

Apache Chemistry OpenCMIS is an open source implementation of the OASIS CMIS specification.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-commons-api/0.12.0/chemistry-opencmis-commons-api-0.12.0.jar
MD5: 992b8d8b65a2e113f421e94e2fa2083d
SHA1: 756dbfe5768240857751ce23407c77eb9b5be9d1
SHA256:81edd163aa33047c5a995daee98b1b5b06ece5bfea84500b30cb4ad01da9b945
Referenced In Project/Scope: OpenKM Web Application:compile
chemistry-opencmis-commons-api-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0

Identifiers

chemistry-opencmis-commons-impl-0.12.0.jar

Description:

Apache Chemistry OpenCMIS is an open source implementation of the OASIS CMIS specification.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-commons-impl/0.12.0/chemistry-opencmis-commons-impl-0.12.0.jar
MD5: 68bd9d0d7ede130acd4c59e55bd34518
SHA1: 2834d4cbc9ccbae8dd88b5140d8ca13848599080
SHA256:7598a3aecd155c0325b63ab65778fff0c14ecf35e283d19ac132d972e963a1ca
Referenced In Project/Scope: OpenKM Web Application:compile
chemistry-opencmis-commons-impl-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0

Identifiers

chemistry-opencmis-server-bindings-0.12.0.jar

File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-server-bindings/0.12.0/chemistry-opencmis-server-bindings-0.12.0.jar
MD5: bad4ca93c00f7389f92be6f535638447
SHA1: 972dfba31dac9ed5fc0c9919daf93bbad4fa6c62
SHA256:82c7c9e7cb14f3953c1acead1d2b24ddadf3caaf15acb9abbf1da6a1e9ffa048
Referenced In Project/Scope: OpenKM Web Application:compile
chemistry-opencmis-server-bindings-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

chemistry-opencmis-server-support-0.12.0.jar

File Path: /home/vaclav/.m2/repository/org/apache/chemistry/opencmis/chemistry-opencmis-server-support/0.12.0/chemistry-opencmis-server-support-0.12.0.jar
MD5: f3d6574fdefe86b544f7cb7b5b07f01f
SHA1: 8effdbceb8d4e6bdad1e457c83fa0340022ce914
SHA256:4c5b75e5671fe7d25c1b93fef1368b17f4b3f91ad9d347347ca978fddda0cb3a
Referenced In Project/Scope: OpenKM Web Application:compile
chemistry-opencmis-server-support-0.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

chosen.jquery.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/chosen.jquery.js
MD5: de290575c204c2ff49ea3ee3bf9e374a
SHA1: 8ed16546217cdc74f104b31dfd950a4ab680abf0
SHA256:662aa1ddb58433ee3970b40b5c60f1853e911b17afd51c5f42292182e0adbf50
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

clike.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/clike/clike.js
MD5: 19e6f9823febf883b30fb0fe6a6d7f6c
SHA1: 15e013c589cc98570aaa6c7b073b2b56cbdb54b8
SHA256:dc31696f035104630ba9cb1d48cf7ff0124e3dcb010ed0d01fbda11916139799
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

clojure.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/clojure/clojure.js
MD5: f446fca9fded045d414b2e3642042ade
SHA1: 058ea2b1fc629ebef795f4a3bf862328310e5508
SHA256:c6e531233d52a00f01163ee63fdd1b1960b708f96b99c0191c8a694a924fda3a
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

closebrackets.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/closebrackets.js
MD5: 7e837f844384e1264dc04a5320a3ea6f
SHA1: 01f3dcccfc9586aecd6b09be9fd09779b82f8b88
SHA256:13247c771c0c3d7f4981f4c5bf3514bfbac8b387f811a94bb2837ee0e4893693
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

closetag.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/closetag.js
MD5: 46ea535d3a17ee4aaabdfa74b741b8b7
SHA1: 443ae42e0153ad768927fcee5c05ac0291852066
SHA256:ecd47c444c258e0f35c0278b6d582941e8052f3c53dd1112116d7fb4441e8a2c
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

cobol.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/cobol/cobol.js
MD5: 05a178b0e0834d8ee4bf4814c7076a3f
SHA1: 4a643c438463e477aff4f33a3c13259c657f1df7
SHA256:435d6e920a762eaf3c7be70fbd1b97ba3b130c80edd07b5847a7976e720ca372
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

codemirror.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/lib/codemirror.js
MD5: 4e1c63d288171536748ec0bafd9756eb
SHA1: 0cafcfedf28779dce0d60dff8faa446aacea6283
SHA256:846338833d1a1723a198ae401e583fca6e291c9ff398d90a2b8029a46d919bd6
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

coffeescript-lint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/coffeescript-lint.js
MD5: 5b4cdc79d41492bca3a33aa974f879af
SHA1: 5a167dc80a3d126e5f8d9272de7e41fe041b7965
SHA256:0c7e6c72be75a75a9c32d1d8748cc111b8e9fa4a59a814fe4025ae3b921384aa
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

coffeescript.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/coffeescript/coffeescript.js
MD5: 5924b21cc125cb6f14d239bd1ff18eac
SHA1: 2f80aca355265bcb1d56ed3384f30314d0ac433d
SHA256:33d1ba5545278910cc9c00329f5475383d0c934197cfe794083096792bd9c088
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

colorize.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/runmode/colorize.js
MD5: 9e9364426c3d48fd1f11f27a93fc1e69
SHA1: f3d92944d8ef9c2240190bbf95cf395333566b5c
SHA256:57b6a145636bbbe4b38674b75b2152bf496d913d6018abbd3a9184e5cd2e1570
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

colorpicker.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/colorpicker.js
MD5: 87bd30f8c0fd2dbbe7fe89b7fb198227
SHA1: 4c15133f59329f7e14cd4d4a8be830e1493b8e2e
SHA256:3cf3e3ce98e3fdb300418cbd8a09f408e7db20650ad9ebc2ae609ed579b7370e
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

comment-fold.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/comment-fold.js
MD5: 67ac591c23fd52e10b21bca75a904fd7
SHA1: 4887935062462e8b81701ff10eda8075cabf52ee
SHA256:e3e5b01c5305ca1c778584c5ca2efd30f840085c35c4423ea18083c14700c402
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

comment.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/comment/comment.js
MD5: 983f318427db728f83de1f79be9a5a88
SHA1: 9b36f352b99fa48deace1c7715a583e31fc648d3
SHA256:4462c05435a7ac63694f5b95d5f2fc28f9d5a0dc22f335302d8586beb0f0d945
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

commonlisp.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/commonlisp/commonlisp.js
MD5: 0ce364dd8af59eb447758dc39db0fc6f
SHA1: 0de20057ac7e4ce8012500dd058e6e909f588898
SHA256:168e1c71aa250a67ad89d0e1f25c9c5016d01c313d675c2eaa2e34dd2e4044d3
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

commons-beanutils-1.8.3.jar

Description:

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
SHA256:e1407b81d8138fb9c1fc731b87b5e0068ddccabfbc65dee59cdb378a90c5e81a
Referenced In Project/Scope: OpenKM Web Application:compile
commons-beanutils-1.8.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2014-0114  

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

commons-cli-1.2.jar

Description:

    Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-cli/commons-cli/1.2/commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Project/Scope: OpenKM Web Application:compile
commons-cli-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

commons-codec-1.5.jar

Description:

     The codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar
MD5: 4686be8303e04b41a0b5c37710b9a09d
SHA1: cf993e250ff71804754ec2734a16f23c0be99f70
SHA256:c7956fe621708e45314ebdf6a35e35c57f2ff80ba9c85dfafb1e43620af6c797
Referenced In Project/Scope: OpenKM Web Application:compile
commons-codec-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

commons-collections-3.1.jar

Description:

Types that extend and augment the Java Collections Framework.

File Path: /home/vaclav/.m2/repository/commons-collections/commons-collections/3.1/commons-collections-3.1.jar
MD5: d1dcb0fbee884bb855bb327b8190af36
SHA1: 40fb048097caeacdb11dbb33b5755854d89efdeb
SHA256:c1547d185ba6880bcc2da261c5f7533512b6ffdbbc1898db5b793c0cb830fcf0
Referenced In Project/Scope: OpenKM Web Application:compile
commons-collections-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2015-6420  

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

commons-compress-1.19.jar

Description:

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar
MD5: fe897bced43468450b785b66c1cff455
SHA1: 7e65777fb451ddab6a9c054beb879e521b7eab78
SHA256:ff2d59fad74e867630fbc7daab14c432654712ac624dbee468d220677b124dd5
Referenced In Project/Scope: OpenKM Web Application:compile
commons-compress-1.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2021-35515  

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-834 Excessive Iteration, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35516  

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CWE-130 Improper Handling of Length Parameter Inconsistency, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-35517  

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CWE-130 Improper Handling of Length Parameter Inconsistency, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-36090  

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2024-25710  

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

commons-digester-2.1.jar

Description:

    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d
Referenced In Project/Scope: OpenKM Web Application:compile
commons-digester-2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

Identifiers

commons-fileupload-1.3.2.jar

Description:

    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
MD5: f76891c36a08e87e3f806d3a83fcb4bc
SHA1: 5d7491ed6ebd02b6a8d2305f8e6b7fe5dbd95f72
SHA256:287d0b5ba8ac6437ee5d7f5567cb68327b6c52957c1d8292e25ecd25e04b25f5
Referenced In Project/Scope: OpenKM Web Application:compile
commons-fileupload-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2016-1000031  

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CWE-284 Improper Access Control

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2023-24998  

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.




Note that, like all of the file upload limits, the
          new configuration option (FileUploadBase#setFileCountMax) is not
          enabled by default and must be explicitly configured.


CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

commons-httpclient-3.1.jar

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/vaclav/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope: OpenKM Web Application:compile
commons-httpclient-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2012-5783  

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

commons-io-2.4.jar

Description:

The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Project/Scope: OpenKM Web Application:compile
commons-io-2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

commons-lang-2.6.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope: OpenKM Web Application:compile
commons-lang-2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

Identifiers

commons-lang3-3.2.1.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/commons/commons-lang3/3.2.1/commons-lang3-3.2.1.jar
MD5: 7fc4221e7e3a05d8052d3fbb34fb0a5a
SHA1: 66f13681add50ca9e4546ffabafaaac7645db3cf
SHA256:8024c2503bf83efa7dff153fe024c1624f5f756be0ec5fc11c856fe420864d26
Referenced In Project/Scope: OpenKM Web Application:compile
commons-lang3-3.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

Identifiers

commons-logging-1.1.1.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

File Path: /home/vaclav/.m2/repository/commons-logging/commons-logging/1.1.1/commons-logging-1.1.1.jar
MD5: ed448347fc0104034aa14c8189bf37de
SHA1: 5043bfebc3db072ed80fbd362e7caf00e885d8ae
SHA256:ce6f913cad1f0db3aad70186d65c5bc7ffcc9a99e3fe8e0b137312819f7c362f
Referenced In Project/Scope: OpenKM Web Application:compile
commons-logging-1.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/commons-beanutils/commons-beanutils@1.8.3

Identifiers

continuecomment.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/comment/continuecomment.js
MD5: f9b0e8a95c77dcb7766acef3710e42e9
SHA1: 20d9b842d252230eb3252eaba9de3a8672d3cfdd
SHA256:099a1e4e7aba8b889243036660cacca72b89787edc8b456057edb6bc1bdb4eb2
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

continuelist.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/continuelist.js
MD5: 32a633aabf220ecbd585e517891b797d
SHA1: 5899ba64c7ab89961d02040909c36da24100f2a2
SHA256:1df8ae4caa16f3c2b7907638bd7b259cc256a2dfda93269c731dafa66225f72e
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

core-1.47.1.jar

Description:

The Google Data Java client library is written by Google. 
    It supports the latest major version of the following Google Data API's.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/gdata/core/1.47.1/core-1.47.1.jar
MD5: 0ab87486663ef3adc0a195a1cff87d37
SHA1: 52ee0d917c1c3461f6e12079f73ed71bc75f12d4
SHA256:671fb963dd0bc767a69c7e4a74c07cf8dad3912bd40d37e600cc2b06d7a42dea
Referenced In Project/Scope: OpenKM Web Application:compile
core-1.47.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

core-2.2.jar

Description:

Core barcode encoding/decoding library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/zxing/core/2.2/core-2.2.jar
MD5: 479d0651da7129b32f521d876f9ffe38
SHA1: cba0b93b0072105d808ef7a00a107a4eb97874e7
SHA256:c6963b3ddc11b8a1ff4ebf65e93314cc6af341685f70c98c752094fa59bef492
Referenced In Project/Scope: OpenKM Web Application:compile
core-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

crontab-parser-1.0.1.jar

Description:

A parser for reading CronTab strings, written in Java using JavaCC.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/kenai/crontab-parser/crontab-parser/1.0.1/crontab-parser-1.0.1.jar
MD5: 7938fde3357cb513482c6e7168affa32
SHA1: 333e5fd1dde321901ccfc7f40f069f00adb898f9
SHA256:d7c37cd89957fd02a6eaf539595d7676e234d6ffebaf279000cd5c7588c74b2b
Referenced In Project/Scope: OpenKM Web Application:compile
crontab-parser-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

cryptacular-1.1.1.jar

Description:

The spectacular complement to the Bouncy Castle crypto API for Java.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-3.0.txt
File Path: /home/vaclav/.m2/repository/org/cryptacular/cryptacular/1.1.1/cryptacular-1.1.1.jar
MD5: 6d6afbdd6f7596f52b70a274e6fd0d51
SHA1: fb63bf067d278e11eb74c6ff6139493d0df4e8a9
SHA256:66d22c7edc4a1ae921862d909dea53d0cad798e8b64333643bc3aba3f706ff0b
Referenced In Project/Scope: OpenKM Web Application:compile
cryptacular-1.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

Identifiers

CVE-2020-7226  

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

cs.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/cs.js
MD5: 32bdace265f7d88da40484a5a3db7900
SHA1: d8c71bdd422e488b0ebed64a3142ad72a616472c
SHA256:9034f00f539b91300620609a0d3307b2f5f418e10a25eeba7e882d02623f3afa
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

css-hint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/css-hint.js
MD5: c101e043240bde393c466aea5e86ebeb
SHA1: fd40ce7be4e140f3d06b855343a72c6d205c2b25
SHA256:be2e36381c6fb48373a1d939066167b39a38a53fe1c0e8cd85eb8763b939b0e6
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

css-lint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/css-lint.js
MD5: c2f92159f243d5aa127f835068c4a7e2
SHA1: c1d5f25da3b5ee46868b8303bc70769769d9ecb3
SHA256:6150658a7aa5734db22af01e9c143d71709842bc6697eee85d76fc56595bd0ec
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

css.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/css/css.js
MD5: 577e68711c5d317b6418ae2ef163462b
SHA1: 28a4c7e26aabe13c466eb8ff244a8f8896d37237
SHA256:fdfed5c385cff8818920cc8f8246c690a7ffae274b2d53c27108406e2e17cecd
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

cxf-core-3.2.6.jar

Description:

Apache CXF Core

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/cxf/cxf-core/3.2.6/cxf-core-3.2.6.jar
MD5: 4692a933d6a360f960fb45b27da6ebf4
SHA1: de6b2ef9cb8a45ec5417f6783d6640851a2c9547
SHA256:b1c77b83d8e5c18a3ac904b7b652c00ad9772a5d14ba31867d85741441512403
Referenced In Project/Scope: OpenKM Web Application:compile
cxf-core-3.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

Identifiers

CVE-2019-12419  

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-46364  

A SSRF vulnerability in parsing the��href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.��
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12423  

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.
CWE-522 Insufficiently Protected Credentials

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-22696  

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
CWE-400 Uncontrolled Resource Consumption, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-30468  

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
CWE-400 Uncontrolled Resource Consumption, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-46363  

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the��CXFServlet is configured with both the��static-resources-list and��redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2024-28752 (OSSINDEX)  

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.



Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-28752 for details
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: HIGH (7.099999904632568)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.cxf:cxf-core:3.2.6:*:*:*:*:*:*:*

CVE-2019-12406  

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17573  

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13954  

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1954  

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ���createMBServerConnectorFactory��� property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.9)
  • Vector: /AV:A/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:1.6/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

cxf-rt-rs-service-description-swagger-3.2.6.jar

Description:

Apache CXF JAX-RS Service Description Swagger

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/cxf/cxf-rt-rs-service-description-swagger/3.2.6/cxf-rt-rs-service-description-swagger-3.2.6.jar
MD5: 280dee28a787344baf2b2f3ee80efcbe
SHA1: 998737f3b87afc9f8f2a00cfb664551c6e22b6e0
SHA256:89c45c6b0a8306599a9db0b6198ad8ab2494cb8cff6178ac505dd36441902611
Referenced In Project/Scope: OpenKM Web Application:compile
cxf-rt-rs-service-description-swagger-3.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2019-12419  

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-46364  

A SSRF vulnerability in parsing the��href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.��
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12423  

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.
CWE-522 Insufficiently Protected Credentials

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-22696  

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
CWE-400 Uncontrolled Resource Consumption, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-30468  

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
CWE-400 Uncontrolled Resource Consumption, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-46363  

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the��CXFServlet is configured with both the��static-resources-list and��redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12406  

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17573  

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13954  

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1954  

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ���createMBServerConnectorFactory��� property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.9)
  • Vector: /AV:A/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:1.6/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

cxf-rt-wsdl-3.2.6.jar

Description:

Apache CXF Runtime Core for WSDL Based Technologies

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/cxf/cxf-rt-wsdl/3.2.6/cxf-rt-wsdl-3.2.6.jar
MD5: 0a5dc82a6650f92a1c8fd714c7ef28a2
SHA1: ca21e6bfc86b31f2c8c5b394f3f1421fa17aa132
SHA256:5302875f0394486d2c0ba07c0570ab57b3c5516491f198149ed53319b6105ff2
Referenced In Project/Scope: OpenKM Web Application:compile
cxf-rt-wsdl-3.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

Identifiers

CVE-2019-12419  

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-46364  

A SSRF vulnerability in parsing the��href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.��
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12423  

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.
CWE-522 Insufficiently Protected Credentials

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-22696  

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
CWE-400 Uncontrolled Resource Consumption, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-30468  

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
CWE-400 Uncontrolled Resource Consumption, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-46363  

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the��CXFServlet is configured with both the��static-resources-list and��redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12406  

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17573  

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13954  

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-1954  

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ���createMBServerConnectorFactory��� property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.9)
  • Vector: /AV:A/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:1.6/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

cy.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/cy.js
MD5: f855e4ea37e32171615ec432cbc6fa1a
SHA1: 5dcd337546fcab0cc288594aa149a13a41b768fc
SHA256:52531c00874f08ed705274fc5c6940c0d31ee2eb5306d8dee331ee93aaa02879
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

d.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/d/d.js
MD5: e5ebcc495d888828f3ef061485e9c8b8
SHA1: b5b9a5606b00177ee789c1d4ab59f160969daae7
SHA256:e7a39d915b046ea60562d20598d8051aadd19139fadf0e9eb73fd29e05f26f98
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

da.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/da.js
MD5: 1a2241ac826d943ad35d35ab96902e03
SHA1: 0083ac2bceae3a6d38c4af898ca89b84f18c827d
SHA256:7f85a3e3356bc835e38222c055fd14f610c22d70cfb76806c329134a3c62a952
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

de.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/de.js
MD5: 2e0e6dbf136e8dcdab903cb648e52630
SHA1: b0c920fad6c4a3f0ae31c89f1786b36744596c57
SHA256:182cdba9d5309bd459cb6c7802826333073647d10dd159cd8843ddf231c2c2d8
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

de_AT.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/de_AT.js
MD5: 3ab58270ed387f9a89f31a671ef7992b
SHA1: 70c103af4f69a5cb8ff761d0d82d5d8df3d6dcbc
SHA256:5aa9f098de09fa6884ea1d10fc1298a80016654b0e6a1b1142d29770c1934893
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

debugger.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/web/debugger.js
MD5: cee256b3148b71c096a8284b6b3aaf41
SHA1: 4ab7d76ffdf3b79b54ca8f985ffc556852a9c4c7
SHA256:514e79e0fb34895ad93d3414901e0c27b65a3adce083a28dcacf5b57f3d80327
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

dialog.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/dialog/dialog.js
MD5: 5313293614d5eb85dafa26df6b0dda0d
SHA1: 4ddcd1189a1b05c8fde0fa73c3ca05fcafe979c4
SHA256:5271c108e723f89751c7053408d1f2f4278a125553b84ff707a31fb2f288229d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

diff.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/diff/diff.js
MD5: 2cadbad679927b1d88a8f9da8bffde70
SHA1: a6fc86148afbc6bba13230275004e3d42cf9edb5
SHA256:35830d2dccb54039ee12d1fa5b417a3e47f0f085f892cef30edb336340f82b8a
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

diff_match_patch.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/merge/dep/diff_match_patch.js
MD5: ecbc571af41c4fbbaac460b86ac394ac
SHA1: fe884e8da63959edadc8b9a579551d5eab3af34b
SHA256:fbbb3d772be647b0a82fc1498986c0d1ec4b52bb520d8404a539796c73412fc6
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

django.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/django/django.js
MD5: 29b09cd8891d814e5bdda7c7cc6e764d
SHA1: 659f15c3390f3c068cc9d8e8565970527329ca21
SHA256:c205f101bb0ae173b1422b59fb7da941bb627a1feae8e753db49d589549cf58e
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

dnsjava-2.0.8.jar

Description:

dnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0. 

License:

BSD license: http://www.dnsjava.org/README
File Path: /home/vaclav/.m2/repository/dnsjava/dnsjava/2.0.8/dnsjava-2.0.8.jar
MD5: 9d1e41d2f4cfdb8728017b55de933753
SHA1: 0b84f81f7cec3116cc8094e9dd9825f21f9d368c
SHA256:7648a88e6851de5e15dba580684ea632bf21dde69eb3b21ae40c17eb6145b3ec
Referenced In Project/Scope: OpenKM Web Application:compile
dnsjava-2.0.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

docx4j-3.1.0.jar

Description:

		docx4j is a library which helps you to work with the Office Open
		XML file format as used in docx
		documents, pptx presentations, and xlsx spreadsheets.
	

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/docx4j/docx4j/3.1.0/docx4j-3.1.0.jar
MD5: 055f4ad7499d6813e1c48459f3362c28
SHA1: 9c94e45d4177b809f7b837c6ded98303e9e6fe81
SHA256:611b276186bb5c787e1363dd7edab3c1c060152a8e789c047d94bb0d90f9421c
Referenced In Project/Scope: OpenKM Web Application:compile
docx4j-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

dom4j-1.6.1.jar

Description:

dom4j: the flexible XML framework for Java

File Path: /home/vaclav/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
SHA256:593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73
Referenced In Project/Scope: OpenKM Web Application:compile
dom4j-1.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jbpm.jbpm3/jbpm-jpdl@3.3.1.OKM

Identifiers

CVE-2020-10683  

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1000632 (OSSINDEX)  

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:dom4j:dom4j:1.6.1:*:*:*:*:*:*:*

dozer-5.3.2.jar

Description:

    Dozer is a powerful Java Bean to Java Bean mapper that recursively copies data from one object to another
  

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/net/sf/dozer/dozer/5.3.2/dozer-5.3.2.jar
MD5: 948692ee1194594bfe014c5845b552dc
SHA1: fb10fbcb72f936c1eecb195ba279df4e52bcabb0
SHA256:4886cf8482601343dfb535d603ea703deb561c770d28cd7a9d3733d115c5ea50
Referenced In Project/Scope: OpenKM Web Application:compile
dozer-5.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2014-9515  

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

dtd.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/dtd/dtd.js
MD5: 7e4079d3b588aec92c1de975b1bbde65
SHA1: 5c132d0a2334ca527cceb940b4aeeef7ade4d0d1
SHA256:1f094ddd7181013e161105c357ebe3a8e2cef82d2a9b894920fed98c70afac63
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

dv.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/dv.js
MD5: e6c9be9c34e918f0a64d8ff0c990991a
SHA1: 662428cc6b8fd9f1a5f632500a6bd6faa72f6932
SHA256:47ba853d0c11740e08e421b2140ded99d878bb47e7a9225eb263554c182a0bd5
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

dylan.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/dylan/dylan.js
MD5: 9f967dd308965055d8dc04355f6900ca
SHA1: fe71a23af24474792ffbbc28cad03e81a4105a26
SHA256:f5f7c6fd6740fb1f52711c766920745e949e61f1a0b43972bac3fe20045cd742
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ecj-4.4.2.jar

Description:

Eclipse JDT Core Batch Compiler

License:

Eclipse Public License v1.0: http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/vaclav/.m2/repository/org/eclipse/jdt/core/compiler/ecj/4.4.2/ecj-4.4.2.jar
MD5: ee97ab38f390547839b950bb51bf5cb5
SHA1: 71d67f5bab9465ec844596ef844f40902ae25392
SHA256:2d6ee21554bbba012b6b0383be6e6587fa35370104e41c10a3eb47039fa3e6d1
Referenced In Project/Scope: OpenKM Web Application:compile
ecj-4.4.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

Identifiers

ecl.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/ecl/ecl.js
MD5: c30a62c7260832fff7ed556feeed03b1
SHA1: e3c5971d2a79721dd3200a98989706ce6d2018b9
SHA256:7aebda9ba2b0eb3758ee169d711145dc8d1f9d330bf3e8be9ad02c6a2c18ea74
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

ehcache-core-2.4.3.jar

Description:

This is the ehcache core module. Pair it with other modules for added
        functionality.
    

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /home/vaclav/.m2/repository/net/sf/ehcache/ehcache-core/2.4.3/ehcache-core-2.4.3.jar
MD5: 9d4b1464a2fcbc16ae46740669a0dab8
SHA1: fd258ef6959f27fb678b04f90139ded4588e2d15
SHA256:9b93a12cda08e7ad4d567d2027d292e67ee726da0cbb330f5de0e90aeb1d3fd1
Referenced In Project/Scope: OpenKM Web Application:compile
ehcache-core-2.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-ehcache@3.6.10.Final

Identifiers

eiffel.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/eiffel/eiffel.js
MD5: 7169891be948fdb38e8752e59d5a4dd4
SHA1: 1bbd08f7eebaab82b735255c0ee4b1bbe0d9ce63
SHA256:0666f48ac9d586ec78fa703b3a168a6d2dad3c2da1f99f85e6515ad294ffbc2d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

el.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/el.js
MD5: 5915a6a9012ff19debc3d3f001db0172
SHA1: 9d98199df7aac3f0c011bf3eae3b147681b19e8b
SHA256:75b81e8b4601b43285a0d074a917c6e9d18b636a4a58d3396321ff5b1b06d39b
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

en_CA.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/en_CA.js
MD5: b647ab56b6efc1a1676b7ee3fa874980
SHA1: f655da97c9350109f502bdbe80b3c15fbc1bc97c
SHA256:5fee7e9ab31f421075fbec94f324aef62a8670623100b1ba7ec38fa5dccb8273
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

en_GB.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/en_GB.js
MD5: 8724defc20694e4b8d921bdfcd735aba
SHA1: 7d0d3f7b625d237c3751b312af46de931b2173bc
SHA256:a8d682dedb2335d973dec930de208fd622b36a0a1c5f5bec2dd5b824c715380e
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

encoder-1.1.jar

Description:

    The OWASP Encoders package is a collection of high-performance low-overhead
    contextual encoders, that when utilized correctly, is an effective tool in
    preventing Web Application security vulnerabilities such as Cross-Site
    Scripting.
    

File Path: /home/vaclav/.m2/repository/org/owasp/encoder/1.1/encoder-1.1.jar
MD5: be2f4935acd2f38c4bf6d6785ffb3c4b
SHA1: 4a30f7daebfaddd665a96e18fd371bfe8a7db1b8
SHA256:cdf109ec3dfdfea91dd6415246547202ab9f8e7341c4142bf53920e3e87a9c56
Referenced In Project/Scope: OpenKM Web Application:compile
encoder-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

erlang.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/erlang/erlang.js
MD5: b8019b8e689846b0d145a565446c2a2b
SHA1: 02825fc24af065631e7e7e9a80e4ca4593461639
SHA256:f21d165b84f43d1ec29a6bab640046570fc06c55e2d4440d37d8d41cc0d376b8
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

es.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/es.js
MD5: ef5ccba778d10c87c539b76ead3c5b58
SHA1: ad52b2ba37a80c399eb9f8ab2264d31c0619b96f
SHA256:2665f32a51225f555c1287159c1818e2e54fd7965b67208bd7ff21ab3cae0b13
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

et.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/et.js
MD5: f0ac017f163f69abdb714eddc5e2830e
SHA1: c51f4bf5e474bada2bc563dc27f18ad5cb2aac7b
SHA256:5a8f0f11f7541ab97b3724a9172949a063a92121b657359d5007d7ec716687a0
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

eu.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/eu.js
MD5: d25ad2302567fd74177d45fd0f1b0da9
SHA1: 3caf453bb272a4e3e47e6f70c4dec31a1e591622
SHA256:77efc79c45dffb33ac9e33024fcf9f5d57987b6c12b90991b12accee83aefaef
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

fa.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/fa.js
MD5: 2b2d3376f6ff03eace59784b96a46290
SHA1: 6ef9261a9e5c5dbf1d5328733b756bfbb8268fbb
SHA256:31e9aa5a3b4ee0fb4163ce14847e1361e830bf995607432e4cf5a476e995fbcb
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

fi.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/fi.js
MD5: d9278f485ee86479b43cb5de5d016165
SHA1: 0bee5238b7f5e6b3a0c897e2e3ffa517b80748d9
SHA256:c91fc10bf5d57159038eb19db86ca8a856173661e89c8ae469b476e152381cbf
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

fixedTableHeader.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/fixedTableHeader.js
MD5: cd6643b9128d3035924b3fe7186f91c9
SHA1: 6f7651bcb1c89fbe497ac1531ae9b7c431178c15
SHA256:1ca59ba6e1736c5d9af9dd6626af6cde85d9c77e7a0bb5d7956bdf9c6a7d4762
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

flexpaper_flash.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/flexpaper/flexpaper_flash.js
MD5: f0f9ec067a59aad2eaf3bbdc68ef589c
SHA1: b1a9051711a1185a551c802b3c34abfa9ff7ff71
SHA256:b5b0f2d406f850086d2877cc986663cde11c162324920eea867a809f22db85c4
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

fo.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/fo.js
MD5: 3e0e4671f0a6b4a837c8cc2297be349e
SHA1: 7644cdc9994e4f47a1bf9f6092408a19d8fc03d9
SHA256:60febe32011302b703e177607c0a23e1e20cba7b9e504931150ef870674351df
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

foldcode.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/foldcode.js
MD5: 9e2ee7846dfad540a3abaa8277005f17
SHA1: 7b5c881b9a4e0026f8aa4262d8ae1ebd64d76815
SHA256:cd2bace07cd23c8f6e5c2e654ce32245992f7b25cc4572acab2ababa4b39231e
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

foldgutter.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/foldgutter.js
MD5: f128b2e16b974ea6c10e0fcf95956e24
SHA1: ca6c204ae3ec2fb833bf42593eddada52fa506bd
SHA256:401f871cccf79b9cbf5d8a3f64ac7027955dd817532c9c4b9c134d67300de2fb
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

fontbox-2.0.13.jar

Description:

    The Apache FontBox library is an open source Java tool to obtain low level information
    from font files. FontBox is a subproject of Apache PDFBox.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/pdfbox/fontbox/2.0.13/fontbox-2.0.13.jar
MD5: f6dd2dbe55ea47062f7ac0543f7e29c6
SHA1: a1361adacfe9bebf262a5e05a97f1add9af1cc05
SHA256:e37f809231c8c71276a87bb08272d007a0b4bfe857add208906d51da731a0104
Referenced In Project/Scope: OpenKM Web Application:compile
fontbox-2.0.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.pdfbox/pdfbox@2.0.13

Identifiers

fop-1.1.jar

Description:

Apache FOP (Formatting Objects Processor) is the world's first print formatter driven by XSL formatting objects (XSL-FO) and the world's first output independent formatter. It is a Java application that reads a formatting object (FO) tree and renders the resulting pages to a specified output. Output formats currently supported include PDF, PCL, PS, AFP, TIFF, PNG, SVG, XML (area tree representation), Print, AWT and TXT. The primary output target is PDF.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/fop/1.1/fop-1.1.jar
MD5: 97f0cf9c6195d241515a44ead528c463
SHA1: 95978100a6cde324078947a2d476cf2f207a7e5a
SHA256:5fc99990806b5553e134097cabb49ac1f519b0e3b56b821bd00f6a30c83bb3f3
Referenced In Project/Scope: OpenKM Web Application:compile
fop-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

fortran.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/fortran/fortran.js
MD5: 39579ebc0136a694f04dba8a774552e3
SHA1: bda207ebb2c5ab95e11de253dbf0911dfe0f6ef0
SHA256:06b215960ce24697167bb48e70b3d47b5533bf53ff8bbb76157f6b7386b07a5d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

fr_FR.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/fr_FR.js
MD5: 0a079435385a4b675fe5142f25001eb7
SHA1: 2c377c96478576f19c7881643259736990b20f33
SHA256:a85b8bf33f31d7b35efb11d70df25e1635618ffdcd2b5d898eb20ed82920a2e1
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

freemarker-2.3.16.jar

Description:

            FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
          

License:

BSD-style license: http://freemarker.org/LICENSE.txt
File Path: /home/vaclav/.m2/repository/org/freemarker/freemarker/2.3.16/freemarker-2.3.16.jar
MD5: d21d641eb5b49c8c737502fbbb8b0ff6
SHA1: 71743c024b499aa5dfa5d671b283991f330bade0
SHA256:746802f028eb68f483fdad5f3363f4e31260bcd47bfdffb6c15fd0a77bd95248
Referenced In Project/Scope: OpenKM Web Application:compile
freemarker-2.3.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jodreports/jodreports@2.4.0

Identifiers

fullscreen.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/display/fullscreen.js
MD5: 893000c6ef04cb127c23aae9933c9ec4
SHA1: eebadf4277b1243dd6033b7bcaac298abf2fb05d
SHA256:a0723c2aa3ec597463956a2f2e5d1dfd49bd50e0d6f2fd5f2bc20032624be220
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

gas.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gas/gas.js
MD5: c20a0cf645ca377a41a7729e1e5f2591
SHA1: 994e03efcc65a739a614656f104d7c711666e40d
SHA256:08f13be2cce6b62e6f5a9c1b6f6c0588d53b549d5ed8cbed82871c9ba74c7481
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

gd.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/gd.js
MD5: d724396bfb38c7387d8997f363429868
SHA1: 7bcc36f930b5c2ed0c364d277dff82fe3fadf38a
SHA256:224cdc5b8496caabbdfc9cafeaa695105c3381c9c39e12a6b8e848bff5a25c6b
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

gfm.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gfm/gfm.js
MD5: a42f61354da00547657ca8c0cd022a14
SHA1: eb3d3db2034323ebbcde4d3221a3c2cbe86e53fa
SHA256:f0897c9c3669175aa2a30a89d6ce01b90b5269485fbb6e508818a7874680df99
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

gherkin.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gherkin/gherkin.js
MD5: 73be9ce1ab6b96349fc6c417e58051a0
SHA1: 18c66388a85055f84f2a18bf186f47271df06ff3
SHA256:b4e5ae4fbe25ead88e92b3a74d2ac8a28aabf97e5ea4f36d235a3aaa8e42e43c
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

gl.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/gl.js
MD5: 7f759e1b80b4f2c9fa6781fdbdba4f7e
SHA1: 947f855a69dc2b22c5c0077b40fc69b7c0f1d212
SHA256:0e6bd0707bc223a58cef848c24438b050b6b0ee059c71316b08625b247a65542
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

go.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/go/go.js
MD5: dc8ffcc1f0271ce7ec0f251bdbaa8f4e
SHA1: 6c83378dd0de15defa3bbf3e25e94a9ef30e3ce6
SHA256:b983337f07cb50e2196507e1b51a4102247ea5f9b1a134bb3250971e98fd9fef
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

google-api-client-1.20.0.jar

File Path: /home/vaclav/.m2/repository/com/google/api-client/google-api-client/1.20.0/google-api-client-1.20.0.jar
MD5: d8b8b746adc5cfb2b23e5c9784165c5d
SHA1: d3e66209ae9e749b2d6833761e7885f60f285564
SHA256:ec6cdbf7989709761d73156a1db6b9247d0b44043b0e486d275a4377a34b109e
Referenced In Project/Scope: OpenKM Web Application:compile
google-api-client-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

google-http-client-1.20.0.jar

Description:

    Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
    including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
  

File Path: /home/vaclav/.m2/repository/com/google/http-client/google-http-client/1.20.0/google-http-client-1.20.0.jar
MD5: 70c5b241c361a8e630ddbea6e7c111ea
SHA1: 93d82db2bca534960253f43424b2ba9d7638b4d2
SHA256:345958d00cbfa69c3e93b356872abdd3ad03e9e4204b7229ccef258dd3921d4a
Referenced In Project/Scope: OpenKM Web Application:compile
google-http-client-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0

Identifiers

google-http-client-jackson2-1.20.0.jar

File Path: /home/vaclav/.m2/repository/com/google/http-client/google-http-client-jackson2/1.20.0/google-http-client-jackson2-1.20.0.jar
MD5: c3e65427c9569f4cde743d98ff89f6e6
SHA1: 2408070b2abec043624d35b35e30450f1b663858
SHA256:7a297bc26a572a79d52db1b7fe706b6dbdbb575dc502e04bd804c26bb31e2f31
Referenced In Project/Scope: OpenKM Web Application:compile
google-http-client-jackson2-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0

Identifiers

google-oauth-client-1.20.0.jar

Description:

    Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
    including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
  

File Path: /home/vaclav/.m2/repository/com/google/oauth-client/google-oauth-client/1.20.0/google-oauth-client-1.20.0.jar
MD5: 901097b9f7ccbe230e447db67711d80c
SHA1: 1d086ac5756475ddf451af2e2df6e288d18608ca
SHA256:8cda94ac3f3e3037a2cb1eace8d1c5436612c86844e8e45f1a451a45d99984ca
Referenced In Project/Scope: OpenKM Web Application:compile
google-oauth-client-1.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0

Identifiers

CVE-2020-7692  

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-22573  

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:2.1/RC:R/MAV:A

References:

Vulnerable Software & Versions:

google-oauth-client-java6-1.11.0-beta.jar

File Path: /home/vaclav/.m2/repository/com/google/oauth-client/google-oauth-client-java6/1.11.0-beta/google-oauth-client-java6-1.11.0-beta.jar
MD5: 0995bd4952db6995139726ae21527cb3
SHA1: c07d4fd295d5ddf9e92c23c88f854fb733770d4a
SHA256:a1d405cb3318bf844fd9cecd4a22b9bbcfc34a0a437a3eb3e141adac6796a0c5
Referenced In Project/Scope: OpenKM Web Application:compile
google-oauth-client-java6-1.11.0-beta.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1

Identifiers

CVE-2020-7692  

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-22573  

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:2.1/RC:R/MAV:A

References:

Vulnerable Software & Versions:

google-oauth-client-jetty-1.11.0-beta.jar

File Path: /home/vaclav/.m2/repository/com/google/oauth-client/google-oauth-client-jetty/1.11.0-beta/google-oauth-client-jetty-1.11.0-beta.jar
MD5: 1ee2e0209b163ebb53fa3ea1d43eb66a
SHA1: 7264fbc551ad8219b014feb662b1f1d187c2e7b7
SHA256:b96bcb1924003370f5d59d799d70c62bf1bd7ca9dace09ec1e42457d7028ba29
Referenced In Project/Scope: OpenKM Web Application:compile
google-oauth-client-jetty-1.11.0-beta.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1

Identifiers

CVE-2020-7692  

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2021-22573  

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:
  • Base Score: LOW (3.5)
  • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:2.1/RC:R/MAV:A

References:

Vulnerable Software & Versions:

groovy-all-minimal-1.5.8.jar

Description:

        Groovy: A powerful, dynamic language for the JVM
    

File Path: /home/vaclav/.m2/repository/org/codehaus/groovy/groovy-all-minimal/1.5.8/groovy-all-minimal-1.5.8.jar
MD5: f9d1409298f02e76148acf2c2acf9b5d
SHA1: cf8d95c0d9d4fd08b814c0eb5e32e0216cd07e0d
SHA256:267171b95bc929b641c6a918e88d506c14d770d97b6ad743f7350aef777e263d
Referenced In Project/Scope: OpenKM Web Application:compile
groovy-all-minimal-1.5.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

groovy.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/groovy/groovy.js
MD5: 923efb2d57dae27cf502a3a58a3531b7
SHA1: ae71ebe7254481e263c4559f91c0b3cddc34be89
SHA256:ab6d2a56b14c9d824762d5dc7393b0dde4416e25ae40bbe176805955db5f7cf9
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

gson-2.2.4.jar

Description:

Google Gson library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/code/gson/gson/2.2.4/gson-2.2.4.jar
MD5: 2f54fc24807a4cad7297012dd8cebf3d
SHA1: a60a5e993c98c864010053cb901b7eab25306568
SHA256:c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb
Referenced In Project/Scope: OpenKM Web Application:compile
gson-2.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2022-25647  

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

guava-20.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar
MD5: f32a8a2524620dbecc9f6bf6a20c293f
SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
SHA256:36a666e3b71ae7f0f0dca23654b67e086e6c93d192f60ba5dfd5519db6c288c8
Referenced In Project/Scope: OpenKM Web Application:compile
guava-20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2023-2976  

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

CWE-552 Files or Directories Accessible to External Parties

CVSSv3:
  • Base Score: HIGH (7.1)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CWE-378 Creation of Temporary File With Insecure Permissions, CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

gwt-incubator-2.1.0.jar

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-incubator/2.1.0/gwt-incubator-2.1.0.jar
MD5: ffb9efd602f4c142257225d768a12dd8
SHA1: 3aa16d4c7c00edad4719092669d820a34e10ef0a
SHA256:07d4dc0da9c80d780b9ff048d38f3dccb30dcb874f9dea25e11cf84eaf02d1b3
Referenced In Project/Scope: OpenKM Web Application:compile
gwt-incubator-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

gwt-log-3.3.1.jar

Description:

Library providing easy to use logging capabilities to Google Web Toolkit (GWT) projects.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/vaclav/.m2/repository/com/allen-sauer/gwt/log/gwt-log/3.3.1/gwt-log-3.3.1.jar
MD5: 6a5badb59045e2261114758124e5a626
SHA1: 4bab403e1b9b44d6d64d232942c1690f269fa68a
SHA256:fce757493036f17ee571690c8f771ab0899f350a25e48d033e0313a524b774ee
Referenced In Project/Scope: OpenKM Web Application:compile
gwt-log-3.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

gwt-servlet-2.8.2.jar (shaded: com.google.protobuf:protobuf-java:2.5.0)

Description:

    Protocol Buffers are a way of encoding structured data in an efficient yet
    extensible format.
  

License:

New BSD license: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-servlet/2.8.2/gwt-servlet-2.8.2.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.xml
MD5: c28384af06c20f1a57cb6f23bb1b3620
SHA1: afdfa377bd3be73d5ef14cc13513cd195c7c1d18
SHA256:950d4421b2f8889acab99a8aab82f8663f0f80d120ad7cbec6a189a151be805b
Referenced In Project/Scope: OpenKM Web Application:runtime

Identifiers

CVE-2022-3171  

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
CWE-20 Improper Input Validation, NVD-CWE-noinfo

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-3509 (OSSINDEX)  

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
CWE-20 Improper Input Validation

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.google.protobuf:protobuf-java:2.5.0:*:*:*:*:*:*:*

CVE-2021-22569  

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
NVD-CWE-noinfo, CWE-696 Incorrect Behavior Order

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

gwt-servlet-2.8.2.jar

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-servlet/2.8.2/gwt-servlet-2.8.2.jar
MD5: 482772fc8f2b97068c8ddacc8c120780
SHA1: a538bc7b20dece1ca9c517d8ec5f6819ba2fdec9
SHA256:1d971e8efd3f57227a9204d058c1e5f64f1d79e4030a34c884d3bdf982dd263d
Referenced In Project/Scope: OpenKM Web Application:runtime
gwt-servlet-2.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

gwt-user-2.8.2.jar

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar
MD5: 4344edd17705723debc1e1820943ad73
SHA1: a2b9be2c996a658c4e009ba652a9c6a81c88a797
SHA256:9f420f0d0c2f177d71cb1794b3be1418f9755f6e4181101af3951b8302b9556d
Referenced In Project/Scope: OpenKM Web Application:provided
gwt-user-2.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

gwt-user-2.8.2.jar: closurehelpers.js

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/junit/linker/closurehelpers.js
MD5: 2df11a5f3690aa991f5b327958fa51d6
SHA1: 1ca87610a75d819b7681291efda14e29623f219b
SHA256:ca2a16c92adae2bb7d2f32e948cf0f74892a68477722c0e72ef62a4cfde0ea07
Referenced In Project/Scope: OpenKM Web Application:provided

Identifiers

  • None

gwt-user-2.8.2.jar: initWindowCloseHandler.js

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/user/client/impl/initWindowCloseHandler.js
MD5: e7b8f571ae0a24e5f850ebd88acc0ff4
SHA1: e5a2ed16ed5a2736476ca011dfef836d049c0d62
SHA256:4f2530b7c813de59ec9654f840b5e280b6bbf89c8bfcf423359926854de48983
Referenced In Project/Scope: OpenKM Web Application:provided

Identifiers

  • None

gwt-user-2.8.2.jar: initWindowResizeHandler.js

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/user/client/impl/initWindowResizeHandler.js
MD5: 94b2e7183f363ee72758b981ea642bcd
SHA1: ea090795ccc0039cfed648dcef722dc15d22cb0f
SHA256:413b8d90bfd5dd3cd1925e74d0ea8dc97ba2efbeecaf8a11e3b661781d529174
Referenced In Project/Scope: OpenKM Web Application:provided

Identifiers

  • None

gwt-user-2.8.2.jar: initWindowScrollHandler.js

File Path: /home/vaclav/.m2/repository/com/google/gwt/gwt-user/2.8.2/gwt-user-2.8.2.jar/com/google/gwt/user/client/impl/initWindowScrollHandler.js
MD5: 61a257f10f806b6d71d7bcfa541f132b
SHA1: 7543afe38b20b1e70a100eb58374cd2e97f88f6a
SHA256:f412b5fd48176742090c4cb6dea7477c5a6b2720bd488225fcfd147ebc163715
Referenced In Project/Scope: OpenKM Web Application:provided

Identifiers

  • None

gwt-vl-2.0b-without-hibernate.jar

File Path: /home/vaclav/.m2/repository/gwt-vl/sourceforge/net/gwt-vl/2.0b-without-hibernate/gwt-vl-2.0b-without-hibernate.jar
MD5: 2b7e52489be1b90f4995ebbd4cfa309f
SHA1: b4d6273f190fc3cec55ca3e8f4c75cdb43fae370
SHA256:a5b10bdc38d354ff1dee304d14ac6a214ca66dc27b06e379c614d6e8d4a50237
Referenced In Project/Scope: OpenKM Web Application:compile
gwt-vl-2.0b-without-hibernate.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

hamcrest-core-1.3.jar

Description:

    This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
  

File Path: /home/vaclav/.m2/repository/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9
Referenced In Project/Scope: OpenKM Web Application:compile
hamcrest-core-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/junit/junit@4.11

Identifiers

haml.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haml/haml.js
MD5: 34e32d03c8b03cfc4c3d0a35956ffe73
SHA1: a6491f4006aa0bf1df56ec4af3fdf3d0404784c9
SHA256:c20b08cd9d3da1a3ac6f926884c36f3d6faf8aabc6a3cf59bc8a301e4517ed6d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

hardwrap.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/wrap/hardwrap.js
MD5: ef9a6f7c7640e3af40060a9066d19acd
SHA1: 02a8b85561b9d4c44bc08e73d28c5ebaa9a31f71
SHA256:04ba700213ce2182ea75b321847055d16da770b0178f1c989e72b5541fe10ff8
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

haskell.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haskell/haskell.js
MD5: 17fe6c2bad0e7410f3315e38434dbb8f
SHA1: 2defad5d931c7ed1558100c8a46d233ee33e0029
SHA256:ba3024aaf10ee6651e65faa9b581ff452cdc3b3a4b09db7d05ed516b888479c2
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

haxe.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haxe/haxe.js
MD5: 471f1fcc5b4278ce48cfd3b437927255
SHA1: 693b68c8c400e55be95fcf85bc5c6c19ec552bce
SHA256:6654c345e99d5c6001d4a7955c0b887f12e6109f6692681df50cf7f715ee8ffc
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

he_IL.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/he_IL.js
MD5: 3d46a747d7adb8ec7f8c866eb7a903d2
SHA1: f60895ffad2f499c0dc3f4d6888fc18b0cee31c2
SHA256:dc0f4dc328df2787e8dc765c014358d1fa5a29e23a2d2d49026d01202a1c4732
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

hibernate-commons-annotations-3.2.0.Final.jar

Description:

Common reflection code used in support of annotation processing

License:

GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-commons-annotations/3.2.0.Final/hibernate-commons-annotations-3.2.0.Final.jar
MD5: 8ae1ea6c2a3d854c6436f6f70e04f699
SHA1: ce990611448fc2865469e3b68d2fe76b050e3c4f
SHA256:b9abf4d76da72dc06a24399ebd9e55a7ab2e58d53ca766e7fd562c32fde45464
Referenced In Project/Scope: OpenKM Web Application:compile
hibernate-commons-annotations-3.2.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@3.6.10.Final

Identifiers

hibernate-core-3.6.10.Final.jar

Description:

The core functionality of Hibernate

File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-core/3.6.10.Final/hibernate-core-3.6.10.Final.jar
MD5: cdc5eb67414eb75f69382bbe637151c0
SHA1: 6b36a1eef76cbccc2757f22a795b5e12ab56b3d5
SHA256:99abcfa253d24c2c3ee3c146927dc72afdc21e84b658b2632dc685ed1ff3094f
Referenced In Project/Scope: OpenKM Web Application:compile
hibernate-core-3.6.10.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

hibernate-jpa-2.0-api-1.0.1.Final.jar

Description:

        Hibernate definition of the Java Persistence 2.0 (JSR 317) API.
    

License:

license.txt
File Path: /home/vaclav/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.0-api/1.0.1.Final/hibernate-jpa-2.0-api-1.0.1.Final.jar
MD5: d7e7d8f60fc44a127ba702d43e71abec
SHA1: 3306a165afa81938fc3d8a0948e891de9f6b192b
SHA256:bacfb6460317d421aa2906d9e63c293b69dc1a5dac480d0f6416df50796a4bb3
Referenced In Project/Scope: OpenKM Web Application:compile
hibernate-jpa-2.0-api-1.0.1.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-core@3.6.10.Final

Identifiers

hibernate-search-3.4.2.Final.jar

Description:

Hibernate Search

File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-search/3.4.2.Final/hibernate-search-3.4.2.Final.jar
MD5: c985a7d20374163655a2e86c75ea9826
SHA1: d700f79603ac3f681531486924c4c5a2ba48fca1
SHA256:3ea5d58fc7c6a16d58fd0e81ea7da1e6ae53e6122f56d4eab5f30ff38c0d3e1c
Referenced In Project/Scope: OpenKM Web Application:compile
hibernate-search-3.4.2.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2020-25638  

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14900  

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

hibernate-validator-4.2.0.Final.jar (shaded: com.googlecode.jtype:jtype:0.1.1)

Description:

Library for working with the Java 5 type system

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-validator/4.2.0.Final/hibernate-validator-4.2.0.Final.jar/META-INF/maven/com.googlecode.jtype/jtype/pom.xml
MD5: a1dde0cb5b6ebe7e7d3540e0310042ac
SHA1: 2b51d041544482b183c1ae49eba99099d6f14998
SHA256:8343daff35c06bed3b10ba850b76337e83eeed0221734788a3c06b246d8347f1
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

hibernate-validator-4.2.0.Final.jar

Description:

        Hibernate's Bean Validation (JSR-303) reference implementation.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/hibernate/hibernate-validator/4.2.0.Final/hibernate-validator-4.2.0.Final.jar
MD5: 2b6b64bce7156ca6e9b7f5e6a0a6de7c
SHA1: eac2db0a9d86a9749724fe93d43afffa8106f25e
SHA256:38dd0af5fdad46bb30270f2d987136ad5ea9bc16927182af7d639e78828133a5
Referenced In Project/Scope: OpenKM Web Application:compile
hibernate-validator-4.2.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2017-7536 (OSSINDEX)  

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2017-7536 for details
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.hibernate:hibernate-validator:4.2.0.Final:*:*:*:*:*:*:*

CVE-2019-10219  

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2014-3558  

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

hr.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/hr.js
MD5: 743705fb6eabf3ee7d6e1ea1ea5b21da
SHA1: 91a2a7b273fda83fc5d6d601882b19ecca6c430f
SHA256:0949ba160d7e01133eb9345305906f6baca0ba9b994616251440b2f6be5e9d98
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

html-hint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/html-hint.js
MD5: 8e8160c22d56fd2ab5e6076c7d111567
SHA1: 1895814e41ac7b226d9cf041dab3111fe1b06fae
SHA256:995d59fdd28796f4b274da8b520f0507d8584b8d052c67b9e5bc0164b43fd467
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

html5gwt-140127.jar

File Path: /home/vaclav/.m2/repository/com/github/akjava/html5gwt/140127/html5gwt-140127.jar
MD5: 48c496452b25020dab79fb0c20839582
SHA1: 8da52c46192c0af53e8d2c41e880ac73b80796ef
SHA256:bcb204099e8061c8213802056c02b3446b9b6b256fe0584cf8bb93378d28cd66
Referenced In Project/Scope: OpenKM Web Application:compile
html5gwt-140127.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

htmlembedded.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/htmlembedded/htmlembedded.js
MD5: e83607e4ae9916fa58c5165639b5f672
SHA1: fdebe690b6aa5e4de41bef4ec066b54d428fb428
SHA256:a2a62384bf7c202405eec1d68195f59843e46f3e47ecd95cfb91b3bea6e012fe
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

htmlmixed.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/htmlmixed/htmlmixed.js
MD5: 641430c683c7ddc1a15a225276ad12eb
SHA1: 6120f6c93c083704db192f1bb25f6d46f3ce5877
SHA256:0cadecaf3cbf504e3795fd00264e9c4b4c1382ac024bbefb611b03bc4e05f080
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

http.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/http/http.js
MD5: 1fca566b1daf47b8e1bb59056311c27f
SHA1: 5bcc8b00286662007936b03e9008ecb6bde3bdbe
SHA256:6f82145df096decfcfac5e19b0474e20e7f88db4bda5b218cb8b99afa840d17e
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

httpclient-4.0.1.jar

Description:

   HttpComponents Client (base module)
  

License:

Apache License: ../LICENSE.txt
File Path: /home/vaclav/.m2/repository/org/apache/httpcomponents/httpclient/4.0.1/httpclient-4.0.1.jar
MD5: 9ca98774860101c06ca9010efd6224a1
SHA1: 1d7d28fa738bdbfe4fbd895d9486308999bdf440
SHA256:752596ebdc7c9ae5d9a655de3bb06d078734679a9de23321dbf284ee44563c03
Referenced In Project/Scope: OpenKM Web Application:compile
httpclient-4.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0

Identifiers

CVE-2014-3577  

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2012-6153 (OSSINDEX)  

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.  NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.300000190734863)
  • Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.httpcomponents:httpclient:4.0.1:*:*:*:*:*:*:*

CVE-2015-5262 (OSSINDEX)  

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (4.300000190734863)
  • Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.httpcomponents:httpclient:4.0.1:*:*:*:*:*:*:*

CVE-2011-1498  

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

httpcore-4.0.1.jar

Description:

   HttpComponents Core (Java 1.3 compatible)
  

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/vaclav/.m2/repository/org/apache/httpcomponents/httpcore/4.0.1/httpcore-4.0.1.jar
MD5: 6c1963fd8ac0c40c004c9e892e0d7703
SHA1: e813b8722c387b22e1adccf7914729db09bcb4a9
SHA256:3b6bf92affa85d4169a91547ce3c7093ed993b41ad2df80469fc768ad01e6b6b
Referenced In Project/Scope: OpenKM Web Application:compile
httpcore-4.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.api-client/google-api-client@1.20.0

Identifiers

hu_HU.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/hu_HU.js
MD5: fa0d95c54da96bf29b0a98c2b4b7e745
SHA1: dbf9a27974334981e7697b7e7dc3a5e5825ff5dc
SHA256:ba198ff7d2dbb221c06152fdbb1361f5f3e502b484cca9dc184898ca37751fdc
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

hy.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/hy.js
MD5: fadae9a8a8b85fa9d61fec4c42ca7403
SHA1: 08abda05fb00c5726b2780e1165231bbd73c0f13
SHA256:4a1eb9429fecc2937b8bf3c0005afcc0395977e84392cdac6e4267ffed66c5c3
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

icu4j-50.1.1.jar

Description:

    International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
    providing Unicode and Globalization support 
  

License:

ICU License: http://source.icu-project.org/repos/icu/icu/trunk/license.html
File Path: /home/vaclav/.m2/repository/com/ibm/icu/icu4j/50.1.1/icu4j-50.1.1.jar
MD5: 8960c153e865c776d6d49491c1f27753
SHA1: c1267563fd08f2885bc1f934ddaca15d19c3d888
SHA256:e579e154f63ca51c8108f88c3a109d5ebc4d84f165d12335fb1ae2734a8aa5f0
Referenced In Project/Scope: OpenKM Web Application:compile
icu4j-50.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

  • pkg:maven/com.ibm.icu/icu4j@50.1.1  (Confidence:High)
  • cpe:2.3:a:icu-project:international_components_for_unicode:50.1.1:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:unicode:international_components_for_unicode:50.1.1:*:*:*:*:*:*:*  (Confidence:Low)  

id.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/id.js
MD5: 36df1b95b00488a7daf2f02dfc4773ff
SHA1: 62667f16f16f3552cc6243efb236acc8a45e7b3b
SHA256:90ccc394be6fd7bfc417f36367dce6dae815557cbb2accb947aec72e23d7009c
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

indent-fold.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/indent-fold.js
MD5: 4412c591f48b2d2bbe9c5139bb1d52b2
SHA1: 6255d946ec94661bb88c8712063b4bc85f0312ab
SHA256:17ca2e6d30e284dd4809299c47e84f5985a462039b0444119b593af1acf5e98d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

is_IS.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/is_IS.js
MD5: 16e867bfe954aa415d3256dc10d6697b
SHA1: 2419132c5bc94fdcece4ce5b9d06b375bf96b3f6
SHA256:86b781ba312342332410687ad807a086f9685ef2973ab511aca946df8db88d0d
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

it.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/it.js
MD5: 934e305d21c179aa25f35472e301a525
SHA1: 647e0105d1f7b743315d4a0c95457cf039c89263
SHA256:b0803ea14507b77edc9863d7e633d7cfdfff8ca80f470f5cbb11c0f6f39ffba7
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

itext-2.1.7.js6.jar

Description:

iText, a free Java-PDF library

License:

Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /home/vaclav/.m2/repository/com/lowagie/itext/2.1.7.js6/itext-2.1.7.js6.jar
MD5: 988f560be1dc15fd4bcdbfd1d7a33270
SHA1: 06d16b69482c32d7ecf6fd513749db6f04c97ec8
SHA256:188fa94aa84e5ba4ef6f03109fcc38b127de4c05057631648e9d237372fe6de2
Referenced In Project/Scope: OpenKM Web Application:compile
itext-2.1.7.js6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

Identifiers

CVE-2017-9096  

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-24196  

iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

CVE-2022-24197  

iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions:

ja.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ja.js
MD5: 8ef29c9b2d6479c162cba8bbc8ae65e2
SHA1: a0e4fd2b8ec8af153de0c3970cfe98c011c2bac5
SHA256:6c93657fdcc95da1e3cc258453ef71857a155058553f86e1749e70801293f63c
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

jackson-annotations-2.9.0.jar

Description:

Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.0/jackson-annotations-2.9.0.jar
MD5: c09faa1b063681cf45706c6df50685b6
SHA1: 07c10d545325e3a6e72e06381afe469fd40eb701
SHA256:45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a
Referenced In Project/Scope: OpenKM Web Application:compile
jackson-annotations-2.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

jackson-core-2.9.7.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.7/jackson-core-2.9.7.jar
MD5: ae90e61fef491afefbc9c225b6497753
SHA1: 4b7f0e0dc527fab032e9800ed231080fdc3ac015
SHA256:9e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84
Referenced In Project/Scope: OpenKM Web Application:compile
jackson-core-2.9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

jackson-core-asl-1.9.11.jar

Description:

Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.11/jackson-core-asl-1.9.11.jar
MD5: 49801a6d43725d5c3a1a52ca021d7dc5
SHA1: e32303ef8bd18a5c9272780d49b81c95e05ddf43
SHA256:5fb6924b888550a9b0e8420747a93cc4ad24e03e724dcf4934c30cc0c4882ffc
Referenced In Project/Scope: OpenKM Web Application:compile
jackson-core-asl-1.9.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.amazonaws/aws-java-sdk@1.3.0

Identifiers

jackson-databind-2.9.7.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.7/jackson-databind-2.9.7.jar
MD5: 2916db8b36f4078f07dd9580bccec6c2
SHA1: e6faad47abd3179666e89068485a1b88a195ceb7
SHA256:675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bf
Referenced In Project/Scope: OpenKM Web Application:compile
jackson-databind-2.9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2018-19360  

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-19361  

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-19362  

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14379  

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14892  

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14893  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16335  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16942  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16943  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17267  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-17531  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20330  

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8840  

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9546  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9547  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9548  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10672  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10673  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10968  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10969  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11111  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11112  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11113  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-10650  

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11619  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-11620  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14060  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14061  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14062  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-14195  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-24616  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-24750  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35490  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35491  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35728  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36179  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36180  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36181  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36182  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36183  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36184  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36185  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36186  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36187  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36188  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36189  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2021-20190  

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (8.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12086  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14439  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-25649  

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CWE-611 Improper Restriction of XML External Entity Reference

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-36518  

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42003  

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2022-42004  

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12384  

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2019-12814  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2023-35116  

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.0/RC:R/MAV:A

References:

Vulnerable Software & Versions:

jackson-dataformat-yaml-2.8.9.jar

Description:

Support for reading and writing YAML-encoded data via Jackson abstractions.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.8.9/jackson-dataformat-yaml-2.8.9.jar
MD5: 221bdac9dca5eb1953248ee75ce06a45
SHA1: 607f3253c20267e385c85f60c859760a73a29e37
SHA256:2a14e6d3d02b7041e932f5a593581623d50b284713c4269dbe8db271b4d1848c
Referenced In Project/Scope: OpenKM Web Application:compile
jackson-dataformat-yaml-2.8.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

Identifiers

jade.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/jade/jade.js
MD5: b9fefc2fb908a70e5006f3f76824973c
SHA1: 3ddf874dcdfb20287e331acd21b4a0b20d7b6875
SHA256:d49261b1276a7017902bb1f9c485560c01e9c4e039ede8bfe7eb93581fff9aee
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

jakarta-regexp-1.4.jar

File Path: /home/vaclav/.m2/repository/jakarta-regexp/jakarta-regexp/1.4/jakarta-regexp-1.4.jar
MD5: 5d8b8c601c21b37aa6142d38f45c0297
SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298
SHA256:85ea3985d7fec552d6de6f02d8e18789c3fcd539081eb8c7c444eabf6cb3f7bc
Referenced In Project/Scope: OpenKM Web Application:compile
jakarta-regexp-1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.lucene/lucene-queries@3.1.0

Identifiers

jashi-2008.07.31.jar

File Path: /home/vaclav/.m2/repository/net/sourceforge/jashi/2008.07.31/jashi-2008.07.31.jar
MD5: bd06c15a6ba863265c490c44aea973f0
SHA1: 20c70fda2e40003d977b3135882f2192b57bff69
SHA256:31e8a8c19196739b158cec3ecf8684588d99d8fd4b0b9020924107d182395d49
Referenced In Project/Scope: OpenKM Web Application:compile
jashi-2008.07.31.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

jasperreports-6.4.3.jar

Description:

JasperReports Library

License:

GNU Lesser General Public License: http://jasperreports.sourceforge.net/license.html
File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar
MD5: a628a2e6a1b6052660592d9e286e2d1d
SHA1: ba87d1b3e5de5b6822ebb7c207896056039cde03
SHA256:b39ea10447ed43dddc4aeee097069466d684d4a4934158ec2c5889abe95f7eed
Referenced In Project/Scope: OpenKM Web Application:compile
jasperreports-6.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2018-5429  

A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2018-18808 (OSSINDEX)  

The domain management component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a race-condition vulnerability that may allow any users with domain save privileges to gain superuser privileges. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:net.sf.jasperreports:jasperreports:6.4.3:*:*:*:*:*:*:*

CVE-2018-18809  

CISA Known Exploited Vulnerability:
  • Product: TIBCO JasperReports
  • Name: TIBCO JasperReports Library Directory Traversal Vulnerability
  • Date Added: 2022-12-29
  • Description: TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system.
  • Required Action: Apply updates per vendor instructions.
  • Due Date: 2023-01-19
  • Notes: https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

jasperreports-6.4.3.jar: jasperreports-ajax.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/util/jasperreports-ajax.js
MD5: 85953f4089a6dc2e911c29ef8e7c5d37
SHA1: 2a92a219f075bed42da393021147e5b0c6f3e43b
SHA256:0d710432de22d4496fb7d176d5241819ba7e76c1e17e0ad9d0e115800de0948e
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-component-registrar.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/report/jasperreports-component-registrar.js
MD5: 092620bad43db6100a057c61e69cbb5e
SHA1: 97253af501948407325c829752a67c96742d8334
SHA256:b68d36725e5bb424f43a15660e8f982e0a64a2a182c7cfc9a590f51d0d5003e9
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-event-manager.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/util/jasperreports-event-manager.js
MD5: 10a0997f563d438eb858b41dd94a27c1
SHA1: eabf21c0ae9692d8f4abbb5bb6a5a5b0e1ab5f01
SHA256:6d2d67c398a6b4174f936129ca596987f61361286b8f73eeb6f37fedcf9885e7
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-loader.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/util/jasperreports-loader.js
MD5: 8ef7b8cefa65093ac7376996ba9471bb
SHA1: 47e3d81d1f6c696324629058e86389c6a45f100c
SHA256:b1de28c0d6d7d584021fff3842bec6a10e77aa83eca693192cdf6fe9484e9700
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-map.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/map/resources/require/jasperreports-map.js
MD5: 13f3c3de21e25a34628ff93e96a206d8
SHA1: 31d22dd64d4d25a8a6a2da73abddd9b4e9af0638
SHA256:22f0b454a8f7fa6142954ea008df692fb060c1daf04c1b03da4c9662aa9f2884
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-report-processor.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/report/jasperreports-report-processor.js
MD5: 0341455e77362bf02011a340736a0dcc
SHA1: ac9496aaa9c31790acaafe9cdbbde8e424f1305a
SHA256:6d4055c6d2304080479b78da8a41b6d1701db6f2ddbd43bf737a44545f5f6b62
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-report.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/report/jasperreports-report.js
MD5: ec2bfc46f66e75c64c63203d6661a53c
SHA1: b5a457bfacd88aa007ff3edab39242dfac4aa4b3
SHA256:4da2549686f3862a5458bb142e89e83e25bc872cfe95a363b9ac7b47cfe7d9cf
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-status-checker.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/report/jasperreports-status-checker.js
MD5: fbc5bfbe4c59131051afa5d5f6e30b60
SHA1: caea8f71d778db17c2baa98c327fde8862838034
SHA256:a6a2a2dc09558303062943db0aa47e0b82e332557ad8bd0fb12d3a465a60b947
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-url-manager.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/util/jasperreports-url-manager.js
MD5: 25b70ab911dd3abb2bdff166ed5cdb7f
SHA1: 64f0297556888b8ed5f24cecf4a6b8fd10eb9c18
SHA256:fed2c2318d73d8e152583986b50da2bd87cbbcefb3a53345d66817800ff1fd8d
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jasperreports-viewer.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/web/servlets/resources/require/viewer/jasperreports-viewer.js
MD5: c40a88b9305586a564ae796be5055805
SHA1: 9551870ac7a316ac75dade68cf7aca0c6f5a98c4
SHA256:0e9c7fa8f4608ade2951de7939b36e99865a8daea3b04badf76199a4007c6e9c
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.column.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.column.js
MD5: e8156548e5b60aee70b42423bd9d4b99
SHA1: 4ff8749a3a97e483bc9e3b60a0dce144f973ee42
SHA256:cca82248d7a1b5731a2bf5c488ba16310a8b4fbebc78890019a6df37a67fb876
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.crosstab.interactive.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/crosstabs/interactive/jive.crosstab.interactive.js
MD5: dc5da154815f7cbd04515cefe6013171
SHA1: 0bf03c519d64327131060e00611bc1a51a68f3b4
SHA256:a98491809e3ac1efdfca235cbbe9008f72785224d7e63c44c1088c620cbdb5bb
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.crosstab.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/crosstabs/interactive/jive.crosstab.js
MD5: 1d10fc866cc19e21ee36b527a9b5113c
SHA1: a536a2bec52bfa3a6b96240672486929fb10c1aa
SHA256:8fd877c5d63eaafaf2b90cecbf4f4ae5feea298f5b8b47b51b2bc941f2bb5190
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.interactive.column.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.interactive.column.js
MD5: e77f16b48d85465e64118e5fd9ab5b48
SHA1: 0eb051fd2338d72562e81923bd86676e8613f78d
SHA256:78ae764d6e953d0841ece6944052391916358b93bd632815a2aa3251807302ea
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.interactive.sort.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/sort/resources/jive.interactive.sort.js
MD5: 0375b5c3fcf2a782fb835f3abe797d35
SHA1: f5c6a0c4155b17aa56c4c76b363ed543a6a2e801
SHA256:d2b9f32db7668e4fe125957e7b14724a65ad21f2fad60a78d56ab299c537c108
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.js
MD5: 77b2f726de0bdf4663ccdfc38330a4d1
SHA1: 37a2280503f329be6ec83789ef83179309c64842
SHA256:f265de0b377a0badd18e6c5feb141a2a85fda91f701b0bf0e0f8acaf508716ec
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.sort.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/sort/resources/jive.sort.js
MD5: a59ceb3e639af3cdd6ca6209bad0db11
SHA1: fe80e9f3b9e4dac807950762e9255deb3e86d026
SHA256:9e0f0b7bb09de0eb4d9694e5d1d92aa051f13330e656c50ba62368137fccb0b1
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: jive.table.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/components/headertoolbar/resources/require/jive.table.js
MD5: 2d5c7e5595b25502a7d3d3018df1344b
SHA1: 1cc7622c13bda8f8bcc645c7a68fdc48c77a1d61
SHA256:30d4017a0644307ccfa42b76d0008a3fc3738427c015a7932dbecf0dc85b6bd6
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasperreports-6.4.3.jar: process.js

File Path: /home/vaclav/.m2/repository/net/sf/jasperreports/jasperreports/6.4.3/jasperreports-6.4.3.jar/net/sf/jasperreports/phantomjs/process.js
MD5: 5ad4b092e87c3e95e19637025fa2032a
SHA1: 8650b2bba0f77b6df8c29d91b88a4670fd7a9fdd
SHA256:13ebea4bfe1517fb49c0816211deab79c3fa9949f182869340e435564207585b
Referenced In Project/Scope: OpenKM Web Application:compile

Identifiers

  • None

jasypt-1.9.2.jar

Description:

Java library which enables encryption in java apps with minimum effort.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar
MD5: 92a13d215927d3d5fccb5487c1b13ba2
SHA1: 91eee489a389faba9fc57bfee75c87c615c19cd7
SHA256:32f8755847f3fce72de4aa16480ed8fe23b51d0f4aea7eab9e167126bb1ba048
Referenced In Project/Scope: OpenKM Web Application:compile
jasypt-1.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

Identifiers

java-support-7.3.0.jar

File Path: /home/vaclav/.m2/repository/net/shibboleth/utilities/java-support/7.3.0/java-support-7.3.0.jar
MD5: 67b23622febcf0461863d52ccb4776d8
SHA1: 288ecc17f2025ad14f768163d42808987d5ffcd6
SHA256:b7b21ebba678ed560c1cf5883a7d49b014e0adba48bf2a10e36578dd6534f852
Referenced In Project/Scope: OpenKM Web Application:compile
java-support-7.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

Identifiers

javascript-hint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/javascript-hint.js
MD5: d79ae58e0f25aabc775c71bb0af99357
SHA1: 395a4a5048d017ee3081af8d202e4bf96e43805c
SHA256:805c97fdeb10a3ebab5f474966b726cf15a4e55eceb6f7886677370dd6c4dfa4
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

javascript-lint.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/javascript-lint.js
MD5: 618bf1f00fc8161c71613f443a34d13f
SHA1: 760e7bba7b35052e72209611478a8233f7474258
SHA256:2c58d119ec57e849a147e916e719056e9b4e78474943ebe126e10c57ae5838c5
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

javascript.js

File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/javascript/javascript.js
MD5: 7e66472c040cbb89589b5adf9c2e7f2f
SHA1: 8ee97b348b9bb0f100de9993e8f62e662758613c
SHA256:2a33e964f53df578ab2e20ec0da48f7d0a942f578167178c9d1ebcd3c71dc008
Referenced In Project/Scope: OpenKM Web Application

Identifiers

  • None

javase-2.2.jar

Description:

Java SE-specific extensions to core ZXing library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/com/google/zxing/javase/2.2/javase-2.2.jar
MD5: 207b44a0524ce5a3901629ec8ef27246
SHA1: 049c7efbaa67727bef5f2dd79efba1ca35f3e7f0
SHA256:cc32f41b3fcff840bcdd08f14d24e7c170e382bd5c5a81a072ac075e66cc8426
Referenced In Project/Scope: OpenKM Web Application:compile
javase-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

javassist-3.12.1.GA.jar

Description:

Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
     simple.  It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/vaclav/.m2/repository/javassist/javassist/3.12.1.GA/javassist-3.12.1.GA.jar
MD5: 30d9d95456d43005da78d7281accccd1
SHA1: 526633327faa61aee448a519e8a4d53ec3057885
SHA256:3f5780dacb4b28ad147100f74361bb338a45069d8034b24735bb8292d2856614
Referenced In Project/Scope: OpenKM Web Application:compile
javassist-3.12.1.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

javassist-3.21.0-GA.jar

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /home/vaclav/.m2/repository/org/javassist/javassist/3.21.0-GA/javassist-3.21.0-GA.jar
MD5: 3dba2305f842c2891df0a0926e18bcfa
SHA1: 598244f595db5c5fb713731eddbb1c91a58d959b
SHA256:7aa59e031f941984af07dacc6ca85e6dc9bd3a485e9aa2494cbc034efa1225d0
Referenced In Project/Scope: OpenKM Web Application:compile
javassist-3.21.0-GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.reflections/reflections@0.9.11

Identifiers

javax.annotation-api-1.3.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/vaclav/.m2/repository/javax/annotation/javax.annotation-api/1.3/javax.annotation-api-1.3.jar
MD5: 707336a61fa1a548342bc793362bd9da
SHA1: 67747496d8b5c1f300ed3cde4ba69d6f453ba984
SHA256:f43f8ca10941606fb675785286981c166be1393f584020ffd965c6863f62232c
Referenced In Project/Scope: OpenKM Web Application:compile
javax.annotation-api-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs@3.2.6

Identifiers

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope: OpenKM Web Application:compile
javax.inject-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

Identifiers

javax.mail-1.6.2.jar

Description:

JavaMail API

License:

https://javaee.github.io/javamail/LICENSE
File Path: /home/vaclav/.m2/repository/com/sun/mail/javax.mail/1.6.2/javax.mail-1.6.2.jar
MD5: 0b81d022797740d72d21620781841374
SHA1: 935151eb71beff17a2ffac15dd80184a99a0514f
SHA256:45b515e7104944c09e45b9c7bb1ce5dff640486374852dd2b2e80cc3752dfa11
Referenced In Project/Scope: OpenKM Web Application:provided
javax.mail-1.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

javax.servlet-api-3.0.1.jar

Description:

Java.net - The Source for Java Technology Collaboration

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/vaclav/.m2/repository/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar
MD5: 3ef236ac4c24850cd54abff60be25f35
SHA1: 6bf0ebb7efd993e222fc1112377b5e92a13b38dd
SHA256:377d8bde87ac6bc7f83f27df8e02456d5870bb78c832dac656ceacc28b016e56
Referenced In Project/Scope: OpenKM Web Application:provided
javax.servlet-api-3.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

javax.websocket-api-1.0.jar

Description:

JSR 356: Java API for WebSocket

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/vaclav/.m2/repository/javax/websocket/javax.websocket-api/1.0/javax.websocket-api-1.0.jar
MD5: 510563ac69503be2d6cbb6d492a8027b
SHA1: fc843b649d4a1dcb0497669d262befa3918c7ba8
SHA256:dd93009fb5aa3798bcd9ab0492a292ddae0f0b1ed2e45a75867a9925c90e747a
Referenced In Project/Scope: OpenKM Web Application:provided
javax.websocket-api-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

javax.ws.rs-api-2.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: https://oss.oracle.com/licenses/CDDL+GPL-1.1
GPL2 w/ CPE: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/vaclav/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.1/javax.ws.rs-api-2.1.jar
MD5: 2f754caa430ca5a51a662d6aa821a152
SHA1: 426a0862406536e690c7caa8bb6ed32191986fac
SHA256:1a4295889416c6972addcd425dfeeee6e6ede110e8b2dc8b49044e9b400ad5db
Referenced In Project/Scope: OpenKM Web Application:compile
javax.ws.rs-api-2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxrs@3.2.6

Identifiers

jaxb-api-2.1.jar

File Path: /home/vaclav/.m2/repository/javax/xml/bind/jaxb-api/2.1/jaxb-api-2.1.jar
MD5: 9534ce6506dc96bac3944423d804be30
SHA1: d68570e722cffe2000358ce9c661a0b0bf1ebe11
SHA256:2e9dc899a785544e8a8262047cd370636f734ee0246e36263ee0295c3f3aed94
Referenced In Project/Scope: OpenKM Web Application:compile
jaxb-api-2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

Identifiers

jaxb-impl-2.1.11.jar

File Path: /home/vaclav/.m2/repository/com/sun/xml/bind/jaxb-impl/2.1.11/jaxb-impl-2.1.11.jar
MD5: 89da999f2402d204a96a92ba988e7be8
SHA1: 69e2546dae3895d25aeb5e70225e492d1b9bd696
SHA256:258edbd409dd52238d550a1f8640597b3b6853b8649b42b4dd55ec4d283e217d
Referenced In Project/Scope: OpenKM Web Application:compile
jaxb-impl-2.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

Identifiers

jaxb-svg11-1.0.2.jar

Description:

JAXB classes modelling SVG 1.1

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/plutext/jaxb-svg11/1.0.2/jaxb-svg11-1.0.2.jar
MD5: 91f22bed36295692c384e846dfc460b0
SHA1: 3c0cd54d5691f5b5f8c60ed0c06353ff1db424e1
SHA256:6799f39d49d9dbfef140e76b33d0884d55372935768a3955900eb022576a760d
Referenced In Project/Scope: OpenKM Web Application:compile
jaxb-svg11-1.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

jaxb-xmldsig-core-1.0.0.jar

Description:

JAXB classes for http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd generated using XJC

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/plutext/jaxb-xmldsig-core/1.0.0/jaxb-xmldsig-core-1.0.0.jar
MD5: 53ac0ceaf724c8fecfd15f6a845cb521
SHA1: 57514aa2f72111cfbc0a532ce88782735370e1e5
SHA256:f5c7ce3549cde8e26a2696aa5291a14a4c6168633a1b46b3483e01ab9681feb0
Referenced In Project/Scope: OpenKM Web Application:compile
jaxb-xmldsig-core-1.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

jaxb-xslfo-1.0.1.jar

Description:

JAXB classes modelling XSL FO

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/vaclav/.m2/repository/org/plutext/jaxb-xslfo/1.0.1/jaxb-xslfo-1.0.1.jar
MD5: 234da3ab3340e000c10cd0dc917b7e15
SHA1: 85441209652b216f61160445b399f5bc97e370c6
SHA256:0162ddef898af716a2c95e17de0c2b3aa5ce5b6483da688c75479023b7186d56
Referenced In Project/Scope: OpenKM Web Application:compile
jaxb-xslfo-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

Identifiers

jaxws-api-2.1.jar

File Path: /home/vaclav/.m2/repository/javax/xml/ws/jaxws-api/2.1/jaxws-api-2.1.jar
MD5: f3a03da3f160081c75caac82a3515f91
SHA1: 204ea80c6a85f009c90bddda8c93c17644702022
SHA256:99e674edd93e447b2d13a7ce12b4c5e56ed3637921f77f7b561991deea53eed3
Referenced In Project/Scope: OpenKM Web Application:compile
jaxws-api-2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

Identifiers

jaxws-rt-2.1.7.jar

Description:

        Open source Reference Implementation of JSR-224: Java API for XML Web Services
  

License:

            Dual license consisting of the CDDL v1.0 and GPL v2
        : https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /home/vaclav/.m2/repository/com/sun/xml/ws/jaxws-rt/2.1.7/jaxws-rt-2.1.7.jar
MD5: 9e88ea3a7fd6dee8d532342d5f585adf
SHA1: e4da64bb02bef8ebb174ca17747e6a6bf4a01eeb
SHA256:bad6e1e2da7cd3f0a8c5030b130ae2573b33460461744a8c80ce3e910d55aacd
Referenced In Project/Scope: OpenKM Web Application:compile
jaxws-rt-2.1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

Identifiers

CVE-2013-5816 (OSSINDEX)  

Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2 allows remote attackers to affect availability via unknown vectors related to Metro.
CWE-400 Uncontrolled Resource Consumption

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.sun.xml.ws:jaxws-rt:2.1.7:*:*:*:*:*:*:*

jbpm-jpdl-3.3.1.OKM.jar

File Path: /home/vaclav/.m2/repository/org/jbpm/jbpm3/jbpm-jpdl/3.3.1.OKM/jbpm-jpdl-3.3.1.OKM.jar
MD5: 3ae64ee76f4e952d3f3ef99dc5a316ca
SHA1: 08a0fe7368d0b43128b04772456b5065413db4e7
SHA256:b64576e0904c7333eead64b1db1b79b02879701efce787b513dbe8555c2e202d
Referenced In Project/Scope: OpenKM Web Application:compile
jbpm-jpdl-3.3.1.OKM.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

Identifiers

CVE-2014-8125  

XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.
NVD-CWE-Other

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

    Vulnerable Software & Versions: (show all)

    jcommon-1.0.23.jar

    Description:

        JCommon is a free general purpose Java class library that is used in
        several projects at www.jfree.org, including JFreeChart and
        JFreeReport.
        

    License:

    GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
    File Path: /home/vaclav/.m2/repository/org/jfree/jcommon/1.0.23/jcommon-1.0.23.jar
    MD5: 1b059adc60fef2da40b7130f9a67f977
    SHA1: a316f336ca996e0c6bec4e4fbd49be8f5e1c3968
    SHA256:1e670402809484c71ec74d55b40022a4c4939c7911bd39ee5a0cfb3aaf56397c
    Referenced In Project/Scope: OpenKM Web Application:compile
    jcommon-1.0.23.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

    Identifiers

    jcsv-1.4.0.jar

    Description:

    jCSV is a simple CSV library for Java

    License:

    The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/com/googlecode/jcsv/jcsv/1.4.0/jcsv-1.4.0.jar
    MD5: da45c324b09095a1e82b890a3324a571
    SHA1: 3b2dfd1ff251cdcf4745a7643a966f14d10e2532
    SHA256:73ca7d715e90c8d2c2635cc284543b038245a34f70790660ed590e157b8714a2
    Referenced In Project/Scope: OpenKM Web Application:compile
    jcsv-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    jdom-1.0.jar

    File Path: /home/vaclav/.m2/repository/jdom/jdom/1.0/jdom-1.0.jar
    MD5: 0b8f97de82fc9529b1028a77125ce4f8
    SHA1: a2ac1cd690ab4c80defe7f9bce14d35934c35cec
    SHA256:3b23bc3979aec14a952a12aafc483010dc57579775f2ffcacef5256a90eeda02
    Referenced In Project/Scope: OpenKM Web Application:compile
    jdom-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/rome/rome@1.0

    Identifiers

    CVE-2021-33813  

    An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
    CWE-611 Improper Restriction of XML External Entity Reference

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    jdom-2.0.2.jar

    Description:

    		A complete, Java-based solution for accessing, manipulating, 
    		and outputting XML data
    	

    License:

    Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
    File Path: /home/vaclav/.m2/repository/org/jdom/jdom/2.0.2/jdom-2.0.2.jar
    MD5: f2ce377fffc36a069117c578c14139ba
    SHA1: d06c71e0df0ac4b94deb737718580ccce22d92e8
    SHA256:2bdf7a48fddc9259f5aa420eee328e939d71302a6a1b79a176e4fd47ee988b97
    Referenced In Project/Scope: OpenKM Web Application:compile
    jdom-2.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.ettrema/milton-api@1.8.1.4

    Identifiers

    CVE-2021-33813  

    An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
    CWE-611 Improper Restriction of XML External Entity Reference

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    jettison-1.3.5.jar

    Description:

    A StAX implementation for JSON.

    License:

    Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
    File Path: /home/vaclav/.m2/repository/org/codehaus/jettison/jettison/1.3.5/jettison-1.3.5.jar
    MD5: f89c69522ab58a11b8a6251d5035d289
    SHA1: cdd210ae7fe10fd6bc3d9159142cb2a4da417020
    SHA256:fc1acf29f13717c71bbe49dae931b0fc160f68e3aa2ae792a8fe2bd9f2d1966c
    Referenced In Project/Scope: OpenKM Web Application:compile
    jettison-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2022-40149  

    Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
    CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2022-40150  

    Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
    CWE-400 Uncontrolled Resource Consumption, CWE-674 Uncontrolled Recursion

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2022-45685  

    A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
    CWE-787 Out-of-bounds Write

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2022-45693  

    Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
    CWE-787 Out-of-bounds Write

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2023-1436  

    An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
    
    
    CWE-674 Uncontrolled Recursion

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    jetty-6.1.26.jar

    Description:

    Jetty server core

    License:

    http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
    File Path: /home/vaclav/.m2/repository/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar
    MD5: 12b65438bbaf225102d0396c21236052
    SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
    SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
    Referenced In Project/Scope: OpenKM Web Application:compile
    jetty-6.1.26.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1

    Identifiers

    CVE-2011-4461  

    Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
    CWE-310 Cryptographic Issues

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: MEDIUM (5.3)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2009-1523  

    Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
    CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    jfreechart-1.0.19.jar

    Description:

        JFreeChart is a class library, written in Java, for generating charts. 
        Utilising the Java2D APIs, it currently supports bar charts, pie charts, 
        line charts, XY-plots and time series plots.
        

    License:

    GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
    File Path: /home/vaclav/.m2/repository/org/jfree/jfreechart/1.0.19/jfreechart-1.0.19.jar
    MD5: 4ff3762bd04a7239cfb98de542134bec
    SHA1: ba9ee7dbb2e4c57a6901c79f614ed2dea9cc0e20
    SHA256:153d077d6399776a45de97c555ad026eb6201d4bd8af86cfce7b8b4ccfa66263
    Referenced In Project/Scope: OpenKM Web Application:compile
    jfreechart-1.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

    Identifiers

    jinja2.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/jinja2/jinja2.js
    MD5: 5ffd7a5537a77b189e94aa6a213a9999
    SHA1: cd5b5b67d6d1af6b261fe49b199d4194042d969d
    SHA256:0dbb880857eb723321c95fbcae54c3db8b41b966258ef90a2ce65a5f29f4ab0d
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jiu-2007.07.01.jar

    File Path: /home/vaclav/.m2/repository/net/sourceforge/jiu/2007.07.01/jiu-2007.07.01.jar
    MD5: 775714a91e0d17113e70f37a1a1e830b
    SHA1: 990b51efb10d463e3ec2e8630ae21f6ec5ee3342
    SHA256:6a4bb44b7e921fd5764d1b46abdef9756fcd162c98632ebe2674aa3c5d3793ea
    Referenced In Project/Scope: OpenKM Web Application:compile
    jiu-2007.07.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    jlan-5.0.0.jar

    File Path: /home/vaclav/.m2/repository/org/alfresco/jlan/5.0.0/jlan-5.0.0.jar
    MD5: 878a3a416bf3d596a6341ba95b575443
    SHA1: d84274eb67f61c79efc5ac0405d28dddf5d31660
    SHA256:266688a94ced7c24f0851425c87aa18c69521d772f6a7e3018cb669e3f54ed17
    Referenced In Project/Scope: OpenKM Web Application:compile
    jlan-5.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2019-14222  

    An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default installations. An attacker could exploit this vulnerability by using the extracted private key and bundling it into a PKCS12. A successful exploit could allow the attacker to gain information about the target system (e.g., OS type, system file locations, Java version, Solr version, etc.) as well as the ability to launch further attacks by leveraging the access to Alfresco's Solr Web Admin Interface.
    CWE-1188 Insecure Default Initialization of Resource

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2019-14223  

    An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
    CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

    CVSSv2:
    • Base Score: MEDIUM (5.8)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2015-3366  

    Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors.
    CWE-352 Cross-Site Request Forgery (CSRF)

    CVSSv2:
    • Base Score: MEDIUM (5.8)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P

    References:

    Vulnerable Software & Versions:

    CVE-2019-19496  

    Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: LOW (3.5)
    • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (5.4)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2020-8776  

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: LOW (3.5)
    • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (5.4)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2020-8777  

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: LOW (3.5)
    • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (5.4)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2020-8778  

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: LOW (3.5)
    • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (5.4)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    jmyspell-core-1.0.0-beta-2.jar

    Description:

    JMySpell is a spell-checker for Java applications, capable 
            of seamlessly incorporating the existing OpenOffice.org 
            dictionaries. Based on MySpell (but written in 100% Java.)

    File Path: /home/vaclav/.m2/repository/org/dts/jmyspell-core/1.0.0-beta-2/jmyspell-core-1.0.0-beta-2.jar
    MD5: ff2496320fea8ac5c2083bfe08ca7f23
    SHA1: 47a3f90f405377fc9239867e0ee91b48e1936ef2
    SHA256:3b89ab0d04db1e7957731df37573de79b8038496572afcf8c7dfb1074da5f34f
    Referenced In Project/Scope: OpenKM Web Application:compile
    jmyspell-core-1.0.0-beta-2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    joda-time-1.6.2.jar

    Description:

    Date and time library to replace JDK date handling

    License:

    Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/joda-time/joda-time/1.6.2/joda-time-1.6.2.jar
    MD5: 6442e992dedaddadd8b9e3c87a38bfb8
    SHA1: 7a0525fe460ef5b99ea3152e6d2c0e4f24f04c51
    SHA256:442ffc099aaa8e1907dcf8806104c1640acba906f68988f9c5a2e1442e0fb8e5
    Referenced In Project/Scope: OpenKM Web Application:compile
    joda-time-1.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4

    Identifiers

    jodreports-2.4.0.jar

    Description:

        JODReports generates dynamic documents and reports based on the
        OpenDocument Format and FreeMarker.
      

    License:

    GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl.html
    File Path: /home/vaclav/.m2/repository/net/sf/jodreports/jodreports/2.4.0/jodreports-2.4.0.jar
    MD5: 5c68dcd6d97331688503ac51e6b3b226
    SHA1: 81397f93e3aa00f5c432677d592e988d7ffcc9cb
    SHA256:b823e7a7e654e31db02301cd28c09631c9598158f128e919b4fc564f1b57ce1e
    Referenced In Project/Scope: OpenKM Web Application:compile
    jodreports-2.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    jqTabs.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/jqTabs.js
    MD5: 08a8de2ee77768661c329b0b31399a0c
    SHA1: 7dc1daa4a9d5de72af81b823b2ca0671467bd60a
    SHA256:954e6e989302d5290ff1165cb0a282cb6373c8887ad3e8d99d987721f2b41cab
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery-1.11.3.min.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-1.11.3.min.js
    MD5: 895323ed2f7258af4fae2c738c8aea49
    SHA1: 276c87ff3e1e3155679c318938e74e5c1b76d809
    SHA256:ecb916133a9376911f10bc5c659952eb0031e457f5df367cde560edbfba38fb8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    CVE-2015-9251  

    jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
    • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
    • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
    • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
    • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

    CVE-2019-11358  

    jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
    CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
    • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
    • cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4
    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
    • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
    • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
    • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
    • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
    • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
    • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
    • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
    • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
    • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
    • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
    • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
    • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
    • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

    CVE-2020-11022  

    In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
    • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
    • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
    • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
    • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
    • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
    • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
    • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
    • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
    • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

    CVE-2020-11023  

    In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
    • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
    • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
    • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
    • cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
    • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
    • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
    • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
    • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
    • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
    • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
    • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
    • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

    jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates (RETIREJS)  

    jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
    Unscored:
    • Severity: low

    References:

    jquery-1.8.3.min.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-1.8.3.min.js
    MD5: 3576a6e73c9dccdbbc4a2cf8ff544ad7
    SHA1: 06e872300088b9ba8a08427d28ed0efcdf9c6ff5
    SHA256:61c6caebd23921741fb5ffe6603f16634fca9840c2bf56ac8201e9264d6daccf
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    CVE-2012-6708  

    jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

    CVE-2015-9251  

    jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
    • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
    • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
    • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
    • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

    CVE-2019-11358  

    jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
    CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
    • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
    • cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4
    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
    • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
    • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
    • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
    • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
    • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
    • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
    • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
    • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
    • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
    • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
    • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
    • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
    • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
    • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

    CVE-2020-11022  

    In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
    • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1
    • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2
    • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
    • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
    • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
    • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
    • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
    • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
    • cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
    • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
    • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
    • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

    CVE-2020-11023  

    In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
    • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
    • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
    • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
    • cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
    • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0
    • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
    • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
    • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
    • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41
    • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
    • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
    • cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9

    CVE-2020-7656  

    jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:jquery:jquery:*:*:*:*:*:node.js:*:* versions up to (excluding) 1.9.0
    • cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
    • cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
    • cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
    • cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
    • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.1.3
    • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

    jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates (RETIREJS)  

    jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
    Unscored:
    • Severity: low

    References:

    jquery-ui-1.10.3.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/jquery-ui-1.10.3.js
    MD5: ec9758d9508e2fd22ddbdc6d5a28f214
    SHA1: 0ed7df6cc32be8f9687cda3cd6e109e5de44339e
    SHA256:ba0103f765802f299bc7dca5c35d9a00359a0abb10cac136f43caf9c0bf98b7c
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    CVE-2016-7103  

    Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4
    • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
    • cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
    • cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
    • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.42
    • cpe:2.3:a:oracle:oss_support_tools:2.12.42:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4
    • cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* versions up to (including) 21.2
    • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
    • cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*

    CVE-2021-41182  

    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.0
    • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
    • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
    • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

    CVE-2021-41183  

    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.0
    • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 11.14.0
    • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
    • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.5
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

    CVE-2021-41184  

    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.0
    • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
    • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

    CVE-2022-31160  

    jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:*
    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:*
    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:*
    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:*
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.2
    • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

    jquery-ui-i18n.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery-ui-i18n.js
    MD5: 57d829b03853586849e33244ec12cdac
    SHA1: fc9a976ea1e1a762d035cd9c86e020ce098d4c64
    SHA256:b7b090942eb1b5faa026ad6a48d57357bea293624bc96b4a55a72d98cdceb6ce
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    CVE-2021-41182  

    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.0
    • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
    • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
    • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

    CVE-2021-41183  

    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.0
    • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 11.14.0
    • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
    • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to (including) 8.0.29
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.5
    • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

    CVE-2021-41184  

    jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.86
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.2.0; versions up to (excluding) 9.2.11
    • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 9.3.0; versions up to (excluding) 9.3.3
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.0
    • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* versions up to (excluding) 23.1
    • cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:* versions from (including) 8.11.0; versions up to (including) 8.14.0
    • cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (including) 9.2.6.3
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.25
    • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
    • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* versions up to (excluding) 22.1.1
    • cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

    CVE-2022-31160  

    jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:*
    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:*
    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:*
    • cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:*
    • cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* versions up to (excluding) 1.13.2
    • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

    jquery.DOMWindow.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.DOMWindow.js
    MD5: 14b07bbc636c973c260e20d6c99cc157
    SHA1: bca934ea8bca24cbf5d1607b5701f65e9dbb4c82
    SHA256:90ea69e09149603bffde5a9ac82080bfc0ffa5c2ae45a2ff646596104ca03419
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.dataTables-1.10.10.min.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.dataTables-1.10.10.min.js
    MD5: da141feb1384d7c92e3a043d8185d156
    SHA1: bc64b3f49e570e4dedd7e545e54368b1dd7a383d
    SHA256:60a6c9a3dfdc670823b9edc8e23b0529d13ea0692b4a9a99cfabe8c659a7d85a
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    CVE-2020-28458  

    All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
    CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: HIGH (7.3)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:datatables:datatables.net:*:*:*:*:*:node.js:*:* versions up to (excluding) 1.10.23

    CVE-2021-23445  

    This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
    CVSSv3:
    • Base Score: MEDIUM (6.1)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions (NVD):

    • cpe:2.3:a:datatables:datatables.net:*:*:*:*:*:node.js:*:* versions up to (excluding) 1.11.3

    prototype pollution (RETIREJS)  

    prototype pollution
    Unscored:
    • Severity: medium

    References:

    possible XSS (RETIREJS)  

    possible XSS
    Unscored:
    • Severity: low

    References:

    jquery.easy-ticker.min.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.easy-ticker.min.js
    MD5: 52383028795cabc648325291c0384659
    SHA1: 5b23a1af773f4fc99baf0912fc028809064b9042
    SHA256:e708fe12174d8be13093cdb95f27dbb23e1c1f5ecf15cf06d18af852679acee7
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.mobile-1.2.1.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.mobile-1.2.1.js
    MD5: ed58f356ed32d00d8895ac4342995fa6
    SHA1: 96fc7a2f22872642226b902bbf62435efac36661
    SHA256:2101876f2c3acbb83ed397a6d3bf501c26c91894f424c430bd6534437ab53d88
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    Endpoint that reflect user input leads to cross site scripting (RETIREJS)  

    Endpoint that reflect user input leads to cross site scripting
    Unscored:
    • Severity: high

    References:

    open redirect leads to cross site scripting (RETIREJS)  

    open redirect leads to cross site scripting
    Unscored:
    • Severity: high

    References:

    jquery.mobile-1.2.1.min.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.mobile-1.2.1.min.js
    MD5: b92ac578539e13e7fb3f095d70d81f68
    SHA1: 7b76f465a7dfc1958a5dfd28a657ca70612017e6
    SHA256:dd2552f7b29e611c53078618904391aabb8d805f4beff8110eb22698d41a92b8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    Endpoint that reflect user input leads to cross site scripting (RETIREJS)  

    Endpoint that reflect user input leads to cross site scripting
    Unscored:
    • Severity: high

    References:

    open redirect leads to cross site scripting (RETIREJS)  

    open redirect leads to cross site scripting
    Unscored:
    • Severity: high

    References:

    jquery.tablescroll.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery.tablescroll.js
    MD5: d88e1b01bcb21f98cf1d0ccbc3abdc26
    SHA1: feabb79558104ff1fa5d21fc2303368ecf5d62e0
    SHA256:1ac1eac58e911ecb0f302d87ac840f21a38960dde84552e036f937adf0e74823
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.tinymce.min.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/jquery.tinymce.min.js
    MD5: 58f056fe5cf8f5818ea18982b004f8a7
    SHA1: a6316b8942c11a86df5062e7520ec9ea17e35b52
    SHA256:83405de858139df240861e5b894b4f212f49bb2493231ac4b4994a56dd46bde4
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-af.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-af.js
    MD5: 3f6dc7167ebfdab2e4c06ca1f7ecbf55
    SHA1: bed08a6fd05ad28385eba4ed30f9f4f3cf0989df
    SHA256:13b3c1956d1bc149f33324757cfefa91754176956bcd9983cf318603659d650f
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ar-DZ.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ar-DZ.js
    MD5: f9c86467366d98200c97ac9c8b843fbb
    SHA1: ffa0c7c892badba21647d60bc72e9e2e72f10a2a
    SHA256:6a9710a4f0624fd5b67e0bd5311e75e4ac211890c9e1ed03431248d686ad9a03
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ar.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ar.js
    MD5: 9924612cef93d8722863287157768180
    SHA1: 7c7a19ed519eebbd56d52d9a19ebdd8e26dee3aa
    SHA256:bcf9c699e1ff78eb2ff4fce020d33b29c42ece158e339cd0e917e8c16a6865c2
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-az.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-az.js
    MD5: f9f7fb74b273da0307a8bd4ec7acb6b5
    SHA1: 0b8467ea6271bd6bbf31748ec5f34d49b8671c8b
    SHA256:9b947cfd64b7ba7cdec93042eac8267e45cd2ae54e32ba362b09d5a8da1a8e7c
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-be.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-be.js
    MD5: 7b1c87006e19cac0f3590845efd008fb
    SHA1: 1d2278f0e74d9bbcf997faa39a0c7e60e3752381
    SHA256:218798309f1b8ad3402996c2f9a821b8b0c13e929996ccc376590b508dd408e3
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-bg.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-bg.js
    MD5: d965b3639b678aaf5819db10189d3472
    SHA1: 1fd69b71f06808121f617cbbf92a90e07ae7db6c
    SHA256:479166222f060a557252a6389c617ff9e1be7c780f0d6fd998510578f6eb9a95
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-bs.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-bs.js
    MD5: eeccd3d7df38ab2c37ae290e46b3cd93
    SHA1: 390947bfb69a03a70caea25650e61f69740bd1e1
    SHA256:ec0b5e7357984df430262e248b1633a16b51196c9538109d18218cfa5486f996
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ca.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ca.js
    MD5: a857021fa5601842d94a41f20a5cab9d
    SHA1: d585621fcc39be2e34092d14efd04eccea938ec7
    SHA256:d8c958bff79c04c38b1a9661867c6e9aa4d441280656765bdd77d0526651dcb0
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-cs.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-cs.js
    MD5: 54791b35c9819515ce0cad20b7537277
    SHA1: c4f665c0056249a2897453a9eda0b5aa07bed10b
    SHA256:77775c1def8799f75956a30c425b074b7148346b115e17e70642a9e970135f54
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-cy-GB.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-cy-GB.js
    MD5: fb40b70ba78ef9f4251a86355c5f65f7
    SHA1: bcc1447626324e44340f4275783e361ec9b85b64
    SHA256:94723f001defcb68cd44f964d9f14bd380d60812072f394fa616e9eeb2e7f203
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-da.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-da.js
    MD5: 656d173c027d5a08186e39c156ba5597
    SHA1: 440d0d100f9a72b3f5249c96a76268a142f59c16
    SHA256:99a51207c0ebd4eb35d791e0519f68292ec7af75d60525e547d69ba667763096
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-de.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-de.js
    MD5: bf12bcbfcb995b003e6cb3c257904be6
    SHA1: 5db60160f2b78fc0adccbf721db244e42d0eca17
    SHA256:9ce890fdcd947065a60eee0cceb232b25fb250ec39ca39250beb99ea1fb28982
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-el.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-el.js
    MD5: c3150764daf20b6fa2142581180be1ad
    SHA1: 432be4c0563ab757b69bbbf8d9a82f5515259ffe
    SHA256:cc5dc0411fbb1f8b1ffaecf8fe7000f875a5599f0f06eefa2361271b02f58397
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-en-AU.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-AU.js
    MD5: 4a38655904f6c55da227cea464b55a2b
    SHA1: b69c650bad329c3b36c255a5f61a0674726caa31
    SHA256:39fd50b8e82d9c4e07949d85f901a44b0ce559acf2e48214fa16efb970ce434a
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-en-GB.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-GB.js
    MD5: 24a226a281a11799c495abc21f696c23
    SHA1: b56c752cc763f92dc3d4dfc7ce0b9df55a884899
    SHA256:dc8de8a8e14ecce8bc75f3460763b8a1e7bcde04e860e176273318620d5c2163
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-en-NZ.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-NZ.js
    MD5: af985e8d034123f14696aa116027760d
    SHA1: 7eddb4245d43d61404a10ff380538f3fc16e5ace
    SHA256:8cd7fceb1d041507bcd5775aeeaac2b767d87af63be1ff5831c44e6e0194b3d1
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-en-US.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-en-US.js
    MD5: 266da8839e5b2dfae70046649239cec3
    SHA1: 9bbd510e41ee35f753654244a2f826c7fd3a5837
    SHA256:8093cacbe4f899c6e7cc02ce6511a8a756d2127aea8c25658f0b44211083702a
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-eo.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-eo.js
    MD5: e1f5d8ed4599ca392aeb284fe637df33
    SHA1: 9ea43425f002fdf6725267e0d6cc29cf98c28b90
    SHA256:1d54189ab7d969441b9ceea23a1666fa25eda877a7df31a797476c14210f1e8f
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-es-ES.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-es-ES.js
    MD5: 77606d5c3648f0188f3d6f05f07c2067
    SHA1: 03a1a83e7d0bbd2f6ec7394dbc3148ad3e1dcc6d
    SHA256:00067531dff9d8c79a80f82e719ae83e1cb4e313376d0d3232a681981fc57a0f
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-et.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-et.js
    MD5: 1a7c15ddc89179a0e309d9e7d2b97ad4
    SHA1: 239dd175dd10324ee8b6c9b5b1173f3ebfcc8648
    SHA256:733e3f181e8a5324c199797511ba060fb2b5fdf5c54d782aefd573ae2f149dc8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-eu.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-eu.js
    MD5: 24751dd4dcabb58b82ee0817fea84fd3
    SHA1: 15abd806624a1caa7c5b252922129b4ee39500c1
    SHA256:68dd427277bb609956d40fe822e798fc1546034bdf05ebb12dd08f89474dd7c5
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-fa.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fa.js
    MD5: 9687cad817acecd88a808d7ef8c58fcf
    SHA1: 9e8767f975b4d97757794ed649d27fba11a263e2
    SHA256:f7845b50abb0e91075630251c26faa8b6980819a594f9a2a589bc00defc585b8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-fi.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fi.js
    MD5: f435818611baafdd00cac4f264e29eae
    SHA1: d1dfc3711f0228e84532658b2ea1b6caecb6024b
    SHA256:aee8abba7739f6e64baa4d96082feb8c37c18a8d9ff72cbf1b17d6dd0c534028
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-fo.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fo.js
    MD5: 85444da9fc4c900eba95f8ff4704688f
    SHA1: b68215d21446773c42c919002d087aa4bb8ee003
    SHA256:12f827158b071908a77905cae65d11935099d91315a25d5c215d5071fd1167a7
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-fr-CA.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fr-CA.js
    MD5: da166bae7a0b6dfd7d9e2f6bab4576dc
    SHA1: ee9f5d5e9361fa14ff222c3a7333fbd1c99f6996
    SHA256:3dd635f09573d6c5dfe6c786148183ec249b8734eac4dbb80d700d8d9670d506
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-fr-CH.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fr-CH.js
    MD5: 8b170b46edcc43d05082cc464244020f
    SHA1: ad0f6a728afb0975347bf428faa119eb44baaef3
    SHA256:92a0494b9601c5bcd7db81fcd8c5e100341d7227ead0c01baa33c172a7275386
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-fr.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-fr.js
    MD5: 792d81b0e28e033f86f11a5602a450cc
    SHA1: 4c7ec2bafd9cdb8d91f9cfc4b79df0a122908ccf
    SHA256:bf326c3d6b49045372fc3b7c25045620473315cf5d061d53f2bb3862c0728992
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-gl.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-gl.js
    MD5: 0f4dee4528f5f8fb8eb20a14496b7e37
    SHA1: 1cb4058a7d50c0d2eb49b7e2b5163c4a5e762e00
    SHA256:92948fb2f83cfe000d45dcae288157542307a75a305177a025cade62bfddeaf0
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-he.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-he.js
    MD5: b2ad344bf1df226aa1a760f1d3653da7
    SHA1: c3f6c4358e461eeee215717d53d67fec2d8fe261
    SHA256:bac9f114d740aa38a779bc80100c97286164ad41480b31da4bccbc95b7935eb0
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-hi.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hi.js
    MD5: 1e2602a3c232f31242c47a9cadccf9dd
    SHA1: 8edec8989770a74e287ab441f69da4aaadfa6154
    SHA256:7eb94397bb3d0b2f0b9132eeb4c8ada7dfe6b97cd78dd1cf628be69c0d6b2976
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-hr.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hr.js
    MD5: 7582ea79c7fd35b2b7758ff103b11b4b
    SHA1: 84226c30a4ecf5d2cacddaa99fa660ebe51ff5ff
    SHA256:988c4ba1736daff5d1799897aa880ef24e31a738e99ae99cd818ee4dd93c5419
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-hu.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hu.js
    MD5: dee235f99823541ec88be57dec431230
    SHA1: 43ca2f7eab22cf20860813dd19a4f9772ff091c7
    SHA256:b19a8362602777cc9614db8f9fca8b63060b6238c0c07dfa54e03bca288c8315
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-hy.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-hy.js
    MD5: 2f3828a4c02a475b1b8966609721b9c3
    SHA1: 8c8ca28a10a0726816fa90b582d8bb1023bdf6f7
    SHA256:705ff381431c46e3012cfb530a5b84540eb0f787c2e54348e84f930e6525a2a7
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-id.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-id.js
    MD5: fb0ad98a3ad212b1986fcac5015b0435
    SHA1: 86391d3567e26824cc649d8bece9d35685adbc01
    SHA256:a9fae5d5808276b31b4a85ad344ee0fa050cad2147106a4d6f2d7d3c403c0142
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-is.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-is.js
    MD5: 447892a5c1601bb524d7e2cf5ff6cb33
    SHA1: 64e30bc3d5cf0c49dcd8705d8f82ff8dc7883626
    SHA256:d1b4c3263f134b715b2bcec9688a31a8c676f1c038794cad1588ad12b667f730
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-it.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-it.js
    MD5: 7e651d93d0219066bf596faa06db4a81
    SHA1: 6dc2ba67a57cd0695d4077961d6d9e2e245ca82a
    SHA256:2ef97e23310c1525d262acd307b3e4b976387e44c290bdb34ce724324612745a
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ja.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ja.js
    MD5: bf1cf98e79f2d6792c7c7a193b4c7497
    SHA1: 71168b37c4a2a53b8aa30731f5fe4154df109ba3
    SHA256:101380ee8d213449093b915221d72a9917018ea442c6b6058f20b1f7e5bedb89
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ka.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ka.js
    MD5: fd0b08bdc63b1d969fa2df907083062a
    SHA1: d35cfbee7786e5d29dba7ad982e5a4c7f7e5813c
    SHA256:659e2cc8a6a198eb17008e9d44e3f82b42a3f611c37278bd0cf956e8028c5180
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-kk.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-kk.js
    MD5: 57a792b4c55dc23b2095cc190180c440
    SHA1: b58aa056f7e5e71ac0796bff79f214fe70f16ef6
    SHA256:63077d05179199e096c0d7cc44b8a20a9a5425f2b282cda377f68bf95dd910a0
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-km.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-km.js
    MD5: f5c6ed9f64ff97adfd29cb149176021f
    SHA1: 78fcad452026a541d33c6ad3a51711f2580a2736
    SHA256:3a56ebf89b52dd58d4b58c04978c63eb4976a477eb91d6a2c6eabca6be37cf26
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ko.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ko.js
    MD5: 5fb849693b65beed7146624ba498b517
    SHA1: bbbe4628d900b4bb858693e48143883d9aefd947
    SHA256:0b9ee770f950e4f220deb9541b385c3f376f109e7875c311ce9ccd98f92b0233
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ky.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ky.js
    MD5: a5db310345d66c395b592fd2f6136bf0
    SHA1: 2c66d7a4400a55876fe0a8973f6ab7bd9947460f
    SHA256:c49eaa510f5e3e0f271d2201e480429e15c39ada24a561a880bc5df051f5ffb4
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-lb.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-lb.js
    MD5: 642aa75625a4ab2c324fb5df74063509
    SHA1: eaf044a0a6154d3d16c77a53ba41d38b70e3a69d
    SHA256:2ead8f0cc952f0cf9bbad1831a9d15fe554a2735d20ae1f4938522fb351603f2
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-lt.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-lt.js
    MD5: 162b7b6e9e935c89b62260f13bb98429
    SHA1: 171342f4742d193111e6b05bda27599ecfd68402
    SHA256:821a29051e418df2bf13d6c7af1a1a6ab0bd71105872ff43e147fae9cc731e2f
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-lv.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-lv.js
    MD5: 37874227817498b9976e5c66e4da0eb9
    SHA1: d41b6eda5119a118a4206d74858e25ebb6df5c15
    SHA256:5ba0490f504d0635ec8640272ca170b922905a883fd8ad408be1a018ca189b9c
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-mk.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-mk.js
    MD5: cdfdd4b3a2e181c9ed297fa55c739d5e
    SHA1: f75e1af88996ce6847c0b466311dc346a813a1f7
    SHA256:d31c531a148acbb9fd6d2fe064ab5886d8a469232864e381e2f405636bbfdc29
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ml.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ml.js
    MD5: 17fe3b0548bf5a2c9f4e0b081efaeb04
    SHA1: fa67abeb3b2cfaacb309a9ee3a4fe31a9338e20b
    SHA256:41ffd94f610100d8d34394fa99d06d4f7f65d995274c8bb40316f391f9040a94
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ms.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ms.js
    MD5: 51efc50e21ae012a17f4f3cd0f2ac93d
    SHA1: c7dd10401add9f15bea0206a72def3c16b879cc2
    SHA256:6cda00c91cbaf3bd3befa1fd81f2d1ce84d63d718e4b6db39e828f2002d74a74
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-nb.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nb.js
    MD5: 693af0abc258aaf903c4d4b23a882676
    SHA1: be0e9f36cb1c3a233deedb271f0ddbfe1395bb01
    SHA256:3fe450479f223383aa5fd3b06e2350c3f991315991f9c4e1c102ccf7525bf82a
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-nl-BE.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nl-BE.js
    MD5: 60b63d90f6eb6ea3334ec75d6a0831ec
    SHA1: 4fc62c2beb91150f403cbb72510c7d73ae87a7de
    SHA256:c6700222a07bb785e1bcc832bbda73f56f463991ac4d0f26fc3fef30822faca9
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-nl.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nl.js
    MD5: 8c765466b1bb2709f8c9db056029ec89
    SHA1: a541272380cc332658aad66e66d673c8b33072f8
    SHA256:f5879fd10c096a7f0ec223f0f8f94e22b22d4f91787092121816fe436517c4da
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-nn.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-nn.js
    MD5: 690553270244b0de96ade29a9e04b02a
    SHA1: 448cd8c68641c3066a59f5f4a6e61f5eaf0837cf
    SHA256:f2b114961b607dd0a51b58b91389e20d336967b870ee92eceefc96cfb7b2858a
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-no.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-no.js
    MD5: 5f531f078d367d5f10c287479533b0c8
    SHA1: d345be311ae7a103e0f196e376b5b3e4eb02a4f6
    SHA256:efa244f0869947d09fc669144f645c2729320f14f3a58dc477d11a79b2c1a422
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-pl.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-pl.js
    MD5: 2d7dd09c586d4275b402d627778123ca
    SHA1: eb4dc9b3be180a88f820272eba452be775ed2ae8
    SHA256:5a56773af857cc7f05cd8d0d8d842cd71f214591d3f4f9be2632bca9a98bf25e
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-pt-BR.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-pt-BR.js
    MD5: 2d3c1dc7191cf5081b4f982c8cf78c98
    SHA1: ac307479005fe3e316d5b2f1eaaff89bb48dcf69
    SHA256:3c798cfa40d65e6f226d561d6bb7cabbe066ea87ffd474a5caaba95e2b49d605
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-pt.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-pt.js
    MD5: 860cea01ca64bbc3c7978d127e99b758
    SHA1: 05764e8ea551fb41de1ac455c66cb6f2907259b8
    SHA256:89caec9fa822a2f4f050e7d490893fc81ea39f3329f00b2c2e12986f3542bf7e
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-rm.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-rm.js
    MD5: 0601228208954434efea2ccf265f5b94
    SHA1: 15f311311bb5e0b4c91cbe3d502bf6fd1bb0a71f
    SHA256:a10a44725edcbac12fb505445bf79ce474c8c621a73a3c56e17b769dbe274424
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ro.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ro.js
    MD5: 3e888ad522a6581f99b47ad987292c20
    SHA1: b80d6afa3f2276f4376cbf8ad54c79971786aa03
    SHA256:69c8c0d833628a8b1cb64aa4e81e0033763e2aa3e1dc01a730615f25b2063400
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ru.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ru.js
    MD5: 813acc83f4f77a0d874426207da0208a
    SHA1: 44ca0387b6caf2a07ce61d67ca676a4d319620e9
    SHA256:87981e13163fc67625491c48df4de65efe8c6b6fd7f0de35f8056c9806793ecb
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-sk.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sk.js
    MD5: 377b3c5fa2285a8fa665206957c95ceb
    SHA1: c57fce966065c4dc9561752b0b5e18d63b9bb8ba
    SHA256:9af151d993ad480006c4c79834f13675e532c385f1d87e94ac8f0af8172ebee7
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-sl.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sl.js
    MD5: 7b87e98ac2241fffb8f3e5bb6415ec07
    SHA1: 74cdfcaf824e0d05d93e2e36764df6a4387525a9
    SHA256:6658622f1ad41e7681a777c3c0b57af4715c5200505ede3b9aad41d384c28472
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-sq.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sq.js
    MD5: 47ea965b616f6afeab8d860d75787847
    SHA1: cc5b4ebcb1dc15f47dc7f31b0c8514140314edbd
    SHA256:d6d0392f67288cb851141c02ffbddbc53daa4c3d632d5d0f14795c7f0d2e4bf5
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-sr-SR.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sr-SR.js
    MD5: 3d23308dfb3943acdf90bdd46b25f9e2
    SHA1: 14d201f20ab664a135aa8fc589e79e7230c7125f
    SHA256:e405583497af85ddd4d3560af4a85a3b5d87a45ecd229c9bc67ddedc57bfcda6
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-sr.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sr.js
    MD5: 7083f39fcb737210e0a13c6196f3feb4
    SHA1: 7f078aac8fc2b874da5e4bac3fd2bbefe8db91d4
    SHA256:3273a2131896be177f059148daa0d3437c5d0ac1f708fdfa26cd6ba290c7cdd8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-sv.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-sv.js
    MD5: 88fbc9581e8abeac0fe083d572428c45
    SHA1: 81371ecba81f44876fd3194623cd546ac508410c
    SHA256:a3194fe65ca854e4e941b181939f8c7257e89e1573e19ff47bcef66b1db18107
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-ta.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-ta.js
    MD5: da7607dd5df15b0bcd4da344c33447a3
    SHA1: cb4b8a146c21753647289b7ba81d08b594415789
    SHA256:e19b993c51292eb6724c8678313390df52a8788e27ff4280adf0650f23d46d84
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-th.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-th.js
    MD5: 0f1be4ae65e24fc7d6a37dce828a9cee
    SHA1: 285abe42e96868c32336c9a885b511620cee0c4b
    SHA256:689d1a48ea4e7499b09517afc66521b4e0fbd6fa48fefd72ae65de01e6bdfd2f
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-tj.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-tj.js
    MD5: f868a410d5438feee15a20e24e4caf5b
    SHA1: 7116883f259f87ebbb4b0e6ef88b586ffb8f1987
    SHA256:10dece355730e6d149ee7c727737dd2265da5930105bbc061095bbc29ea07fe8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-tr.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-tr.js
    MD5: 6d11aae285bdd88294e66353feb284da
    SHA1: 43f6270d667d29a1ee9f57b8a7bbe860e28414fd
    SHA256:357b70d7d9e675f47456a7035bad519aad1c47ce6d6b8fa5e43820871030446f
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-uk.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-uk.js
    MD5: e0b56bc48d64fa8ffef2b8c39f1db725
    SHA1: 921bd478f57c41f261a7a42d9910217d3b285ec5
    SHA256:5dd9a4954b273dd979313c629d4d749b8c2338cb75e0ed569e882a1633fa86c2
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-vi.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-vi.js
    MD5: 7d54cb0edfbc31232d4ac12f94cec562
    SHA1: 59c9a69db24682c4574038a5bb22aa748499e5af
    SHA256:2f398a8e354cb530f55ec14e0df4ffdbe33d1078af7625c23ad997698afa23b5
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-zh-CN.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-zh-CN.js
    MD5: 46cc885a69ff490c660e99173dc05ea3
    SHA1: b847ce3b7a3d705dc852ffb3ff76c87b20cb408b
    SHA256:42a616c30be97a9158cdd22ddd5dd4c6b4e91915b685a979ed1e1c57cc6a3278
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-zh-HK.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-zh-HK.js
    MD5: ab64f179cc7f62ba45d7708e1dee8cae
    SHA1: 10dea8f337339942dee63b2d67acf72ba004b290
    SHA256:a8aa93f05a38dd63018a477401dd5c26ccc43fd5347f348d6bcf169c06f2f5f9
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jquery.ui.datepicker-zh-TW.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/jquery-ui-1.10.3/i18n/jquery.ui.datepicker-zh-TW.js
    MD5: 411a70a31fe6420be6e5990ea5122e18
    SHA1: c41c7f8e9b868e5aa9a831abdae909fb38ba5f8f
    SHA256:cc02476d6ca84ca3bffb5dcde95f4c9a6ec6b8e748766d44b2dd39409e19fb08
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jsinterop-annotations-1.0.2-sources.jar

    File Path: /home/vaclav/.m2/repository/com/google/jsinterop/jsinterop-annotations/1.0.2/jsinterop-annotations-1.0.2-sources.jar
    MD5: 28e63b0b2da746938da412393a3b2be1
    SHA1: 33716f8aef043f2f02b78ab4a1acda6cd90a7602
    SHA256:9091354e2fccf3585fd0de6c5aac78418d84b15d59e5401cfb3c70ebf4950459
    Referenced In Project/Scope: OpenKM Web Application:provided
    jsinterop-annotations-1.0.2-sources.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2

    Identifiers

    jsinterop-annotations-1.0.2.jar

    File Path: /home/vaclav/.m2/repository/com/google/jsinterop/jsinterop-annotations/1.0.2/jsinterop-annotations-1.0.2.jar
    MD5: 8644058594a4f656b7d0e2ade4209756
    SHA1: abd7319f53d018e11108a88f599bd16492448dd2
    SHA256:fcaf44731f5b6a606fa428a6d1a9ede11dc628c6f7d0f91c235aa71e337bf014
    Referenced In Project/Scope: OpenKM Web Application:provided
    jsinterop-annotations-1.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2

    Identifiers

    json-lint.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/json-lint.js
    MD5: 82769a33f1e18715fd1da3cb3c3c833e
    SHA1: 00d5f9d13118969cc98db09627ec1a956732e732
    SHA256:8662433bb44214b06d4a1005535df63b9191d930b8dd636f22aa5ac7f318e643
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    jsonic-1.2.11.jar

    Description:

    simple json encoder/decoder for java

    License:

    The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/net/arnx/jsonic/1.2.11/jsonic-1.2.11.jar
    MD5: 6ee823936e58325ca57746c438ff1d30
    SHA1: d85dcd1c5469673b58ec78ceae8a675e2c730c66
    SHA256:76a787944faab6c9bea64dc78400949027ed6fb686fe9b328d18f949852bc89f
    Referenced In Project/Scope: OpenKM Web Application:compile
    jsonic-1.2.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.cybozu/langdetect@2011.11.28

    Identifiers

    jsp-api-2.2.jar

    File Path: /home/vaclav/.m2/repository/javax/servlet/jsp/jsp-api/2.2/jsp-api-2.2.jar
    MD5: dd575c153ec55c650d2a66aefc5ba9d3
    SHA1: 5bf0c26ef77df58c7c28be2d9d52246f2b437a54
    SHA256:cfbb2169429dbfef99f3c419622b7d6b385909aa7816adfa44501e2767a72e89
    Referenced In Project/Scope: OpenKM Web Application:provided
    jsp-api-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    jspf.core-1.0.3.1.jar

    File Path: /home/vaclav/.m2/repository/com/google/code/jspf.core/1.0.3.1/jspf.core-1.0.3.1.jar
    MD5: a6f6f8664284e590e7936693ae5c11b2
    SHA1: b45a19bea43ce7dc476f13fdf26cbfedc8f2d625
    SHA256:099dff0a557cb364326049df4ad1830e1ab60721f428d11ef143463a132faced
    Referenced In Project/Scope: OpenKM Web Application:compile
    jspf.core-1.0.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    jsr305-1.3.7.jar

    Description:

    JSR305 Annotations for Findbugs

    License:

    The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/com/google/code/findbugs/jsr305/1.3.7/jsr305-1.3.7.jar
    MD5: 144c0767e2aaf0c21a935908d0e52c68
    SHA1: 516c03b21d50a644d538de0f0369c620989cd8f0
    SHA256:1e7f53fa5b8b5c807e986ba335665da03f18d660802d8bf061823089d1bee468
    Referenced In Project/Scope: OpenKM Web Application:compile
    jsr305-1.3.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1

    Identifiers

    jstl-1.2.jar

    File Path: /home/vaclav/.m2/repository/javax/servlet/jstl/1.2/jstl-1.2.jar
    MD5: 51e15f798e69358cb893e38c50596b9b
    SHA1: 74aca283cd4f4b4f3e425f5820cda58f44409547
    SHA256:c6273119354a41522877e663582041012b22f8204fe72bba337ed84c7e649b0a
    Referenced In Project/Scope: OpenKM Web Application:compile
    jstl-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2015-0254 (OSSINDEX)  

    Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
    CWE-Other

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

    References:

    Vulnerable Software & Versions (OSSINDEX):

    • cpe:2.3:a:javax.servlet:jstl:1.2:*:*:*:*:*:*:*

    jta-1.1.jar

    Description:

        The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.
      

    File Path: /home/vaclav/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar
    MD5: 82a10ce714f411b28f13850059de09ee
    SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
    SHA256:b8ec163b4a47bad16f9a0b7d03c3210c6b0a29216d768031073ac20817c0ba50
    Referenced In Project/Scope: OpenKM Web Application:compile
    jta-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    julia.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/julia/julia.js
    MD5: 719036f3ef8c87e241a695a62a2145e5
    SHA1: 5fd643fe96a8cae5f2cc2a515e08dfb1c4c5e807
    SHA256:a7912ef04372b32c231a965749aeecf87d102bb89777a3dfc838f5d2aa4152e6
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    junit-4.11.jar

    Description:

            JUnit is a regression testing framework written by Erich Gamma and Kent Beck.
            It is used by the developer who implements unit tests in Java.
        

    License:

    Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txt
    File Path: /home/vaclav/.m2/repository/junit/junit/4.11/junit-4.11.jar
    MD5: 3c42be5ea7cbf3635716abbb429cb90d
    SHA1: 4e031bb61df09069aeb2bffb4019e7a5034a4ee0
    SHA256:90a8e1603eeca48e7e879f3afbc9560715322985f39a274f6f6070b43f9d06fe
    Referenced In Project/Scope: OpenKM Web Application:compile
    junit-4.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2020-15250  

    In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
    CWE-732 Incorrect Permission Assignment for Critical Resource, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

    CVSSv2:
    • Base Score: LOW (1.9)
    • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
    CVSSv3:
    • Base Score: MEDIUM (5.5)
    • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    jwplayer.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/mediaplayer/jwplayer.js
    MD5: 299783690ae05d071cb75408656d6435
    SHA1: aac73ea081f8a850de95bd907a66992c6ad7e7ac
    SHA256:d8a927b0a0d1490b1771fd6980a7e827d5192c6065578ada7a550cd8e3641461
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    ka_GE.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ka_GE.js
    MD5: e288aba75f3368a8007774f9d641198d
    SHA1: cf13d1cb69676b05bdb0b31ce263a23dca005272
    SHA256:81c023d83ea778e394a02792ebc3b6b8bdab3881f0e8610a52c7adc8483b3045
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    kk.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/kk.js
    MD5: 8d2c652ce0ecfb2b97a9c6c2bcd7a5de
    SHA1: b81abab163c593f93b9710136d8bb3b9e3e9903c
    SHA256:776aa27cdf62d3d6bc57baea443b6fe4ebd6f721ad6f7954703f6667061bc808
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    km_KH.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/km_KH.js
    MD5: 3ff61481d97b27ed6bd94706630e50f6
    SHA1: dd583cc9446989353f369c808706efb0b047faa9
    SHA256:82a7dc971826e22438e2de82d95a31f5b27236ece4dbb2e50062f7e9e97470fc
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    ko_KR.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ko_KR.js
    MD5: 5da9a34b5205e8ac872b66c93da46487
    SHA1: 5d2c0cdc65efbe0a019e99bf299ea9714a7276aa
    SHA256:d8f8c591e457c0fcae43ee1ddd7d7a441a1519b21b0460c18f074d9c3ed4f485
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    langdetect-2011.11.28.jar

    File Path: /home/vaclav/.m2/repository/com/cybozu/langdetect/2011.11.28/langdetect-2011.11.28.jar
    MD5: 8866b8b89f180a038fe756c6fb670028
    SHA1: d8e4ab8d1b35ec369b3b57c40471ea582dfefd73
    SHA256:c710f1c23aec1ca4b0f28cfc828d6bfd259aa3e3cd818fdb293069b7bbc4f066
    Referenced In Project/Scope: OpenKM Web Application:compile
    langdetect-2011.11.28.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    lb.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/lb.js
    MD5: 3882f455e0f3c3b7e69951cddc029693
    SHA1: 527a9051b9f4195e72f3114e635ed202d8f2e2aa
    SHA256:27f2abd072555246145c2abe7a9c38be46952eb5e5200f6b741091ece2df458d
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    less_test.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/css/less_test.js
    MD5: e103e68f6cb054ee9e674538e9a65821
    SHA1: e128c2b38699fa26d0daf4b65b10dc2a48ddb5cb
    SHA256:350bf6ded56d99375701f0906d6988bd04657a28540de2f46271043969f5c3f6
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    lint.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/lint.js
    MD5: 6ebc8915cbf8e7c9fd1e7fbbfecb10ce
    SHA1: 24ae536b51535ad816efa5566c5a5341c19e85c5
    SHA256:ed23a311a39fc8a0e344a43d29b15b32c5f2536e79d7aafcb1caf6d9337ba513
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    livescript.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/livescript/livescript.js
    MD5: 3dae750db537227724de81ecb49a5725
    SHA1: 0336048497290cc213a057c7489527322390c317
    SHA256:caa777b72cdb8f0ae042a779f60525d4a0add5265f677a07901406a647ff21e8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    loadmode.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/mode/loadmode.js
    MD5: 6723cf5089729dc508502d24fa336f5f
    SHA1: 2b23f6437ca54411534b28243d9106b89b075729
    SHA256:b44f149ef74bc21274072a6ca3c28371d610b2b2e0fb17e33f24e892fcdcbe36
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    logback-classic-1.1.3.jar

    Description:

    logback-classic module

    License:

    http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
    File Path: /home/vaclav/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
    MD5: 19ec751a4fe907ddb204dff93103acbb
    SHA1: d90276fff414f06cb375f2057f6778cd63c6082f
    SHA256:98c3f18f5d0d642cd5f327cc724566cd19649626c7d88f70143bd704c94157d5
    Referenced In Project/Scope: OpenKM Web Application:compile
    logback-classic-1.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2017-5929  

    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
    CWE-502 Deserialization of Untrusted Data

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2023-6378 (OSSINDEX)  

    A serialization vulnerability in logback receiver component part of 
    logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
    attack by sending poisoned data.
    
    
    
    Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-6378 for details
    CWE-502 Deserialization of Untrusted Data

    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    References:

    Vulnerable Software & Versions (OSSINDEX):

    • cpe:2.3:a:ch.qos.logback:logback-classic:1.1.3:*:*:*:*:*:*:*

    CVE-2021-42550  

    In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
    CWE-502 Deserialization of Untrusted Data

    CVSSv2:
    • Base Score: HIGH (8.5)
    • Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
    CVSSv3:
    • Base Score: MEDIUM (6.6)
    • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:0.7/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    logback-core-1.1.3.jar

    Description:

    logback-core module

    License:

    http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
    File Path: /home/vaclav/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
    MD5: 94975ef44aa05c5067563875a783351e
    SHA1: e3c02049f2dbbc764681b40094ecf0dcbc99b157
    SHA256:47c0fd342995d3315b8faccacc324b2a76143b27c430d4b2d6a29eabc31f5c14
    Referenced In Project/Scope: OpenKM Web Application:compile
    logback-core-1.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/ch.qos.logback/logback-classic@1.1.3

    Identifiers

    CVE-2017-5929  

    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
    CWE-502 Deserialization of Untrusted Data

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2021-42550  

    In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
    CWE-502 Deserialization of Untrusted Data

    CVSSv2:
    • Base Score: HIGH (8.5)
    • Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
    CVSSv3:
    • Base Score: MEDIUM (6.6)
    • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:0.7/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    loremipsum-1.0.jar

    Description:

    Simple, light-weight Java class for generating lorem ipsum placeholder text

    License:

    MIT: http://www.opensource.org/licenses/mit-license.php
    File Path: /home/vaclav/.m2/repository/de/sven-jacobs/loremipsum/1.0/loremipsum-1.0.jar
    MD5: 153f5cd006087d99099fd5b5a8c17d10
    SHA1: 91bf10988b4a30a30786e53ca72b51b5f44c4458
    SHA256:a7f945949ad766da798cb5fb7087a2d83512a5a848391a872004e07e6d00d34b
    Referenced In Project/Scope: OpenKM Web Application:compile
    loremipsum-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    lt.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/lt.js
    MD5: ad72abfb2895ac0855eea09e8480b691
    SHA1: bcdb1073b61fb8fe5c8662062faeb575d5209127
    SHA256:b5db33b254b1eb6a2da2d71e9f9186728776e9d422633d2be5440f61f1bd24c7
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    lua.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/lua/lua.js
    MD5: ce04636ef891d1e9bd633eae5a954ba7
    SHA1: 079652e566ac50c1063b3bbbb3388a9f9d20f53e
    SHA256:d8e80854ae6bff0904c1303de3a5dd834789db2d535535a89402556eaa2ec4d3
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    lucene-analyzers-3.1.0.jar

    Description:

    Additional Analyzers

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-analyzers/3.1.0/lucene-analyzers-3.1.0.jar
    MD5: 52982b9865f1ea4af4f545ae67c128f8
    SHA1: c5100d5ebcb703824de93c71c21dd99a88e16264
    SHA256:4ed9e4fe767157de9d9409ad5240866c63067c564cc816816dc8bdd1ef2d4923
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-analyzers-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-core-3.1.0.jar

    Description:

    Apache Lucene Java Core

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-core/3.1.0/lucene-core-3.1.0.jar
    MD5: 84f0ab76ab7915b7eae98671e43a1e3f
    SHA1: 346e85978e23f126cbc821ac2b6528bd4e510296
    SHA256:b72d617511051cbafe947833b4b4527e8f8617c454f3713f673d74adc29f7942
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-core-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-highlighter-3.1.0.jar

    Description:

        This is the highlighter for apache lucene java
      

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-highlighter/3.1.0/lucene-highlighter-3.1.0.jar
    MD5: 9b008521bfff4e6a301bb8326bb68765
    SHA1: bbb7136982fd24ac5aad14df3af4a4b23c9b662a
    SHA256:b7625859e59a9710280b824b63e7927af30431a60ad8a37d46fbe146c07ca1b8
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-highlighter-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-memory-3.1.0.jar

    Description:

        High-performance single-document index to compare against Query
      

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-memory/3.1.0/lucene-memory-3.1.0.jar
    MD5: 727fa0098f264b4a1a7cd6959cdffe6b
    SHA1: a2b306f0e142bb6467ba62d0010721fded14fa01
    SHA256:e12625df29cb90c14f63305283ca454aabad3f7fff41fae0f5a0c9cbe7781d02
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-memory-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-misc-3.1.0.jar

    Description:

    Miscellaneous Lucene extensions

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-misc/3.1.0/lucene-misc-3.1.0.jar
    MD5: 4d3aef83d0889181999ae530ac620d5c
    SHA1: 99cd3561507b065f5292f15743bd1f5da3025ca6
    SHA256:a3fbfc764cfc43e3e2da770b9eb8badf74ec20fb313b09b505f6d7ff17b8127f
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-misc-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-queries-3.1.0.jar

    Description:

        Queries - various query object exotica not in core
      

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-queries/3.1.0/lucene-queries-3.1.0.jar
    MD5: ab8fcd539683ec321436421e7f4e75f4
    SHA1: 2334ff134af64789d505c7e2818cbe23b9f77c3f
    SHA256:cd833414690bb3c1108b252ca66e7b395e9c94d5ad305ffb5a089c657597febb
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-queries-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    lucene-smartcn-3.1.0.jar

    Description:

    Smart Chinese Analyzer

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-smartcn/3.1.0/lucene-smartcn-3.1.0.jar
    MD5: 82a9fcf1db8601d16c7edab3d42236b8
    SHA1: 1f800a09e14e76c9d8e79ba3c9fa3b659004452d
    SHA256:24b25853fa4a4863f72096d3a44727bfb2fdada6bf3ef89ce7a4edb3d9bc0670
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-smartcn-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-spatial-3.1.0.jar

    Description:

    Spatial search package

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-spatial/3.1.0/lucene-spatial-3.1.0.jar
    MD5: a13c130c4d912ce62c760fa08f072d7b
    SHA1: 50929b60f8aa61540c1c37c1bb4346e7b6c05f54
    SHA256:cec17a32a174ecc3eccd8e90b3ea036fe5b27d5d475d64d3f8a9b5db5e2f5d0a
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-spatial-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-spellchecker-3.1.0.jar

    Description:

    Spell Checker

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-spellchecker/3.1.0/lucene-spellchecker-3.1.0.jar
    MD5: f9f0cce47fa28854ec1da37dfef1766c
    SHA1: d0b34455273bfad85db4948c0c722f505670230d
    SHA256:921aa62f7e45d563f7f69b4eeb4f2e926deb9e276fa5d1788657ed037c48f7c9
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-spellchecker-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lucene-stempel-3.1.0.jar

    Description:

    Stempel Analyzer

    File Path: /home/vaclav/.m2/repository/org/apache/lucene/lucene-stempel/3.1.0/lucene-stempel-3.1.0.jar
    MD5: 42f8a10b8eb231c9596535f57046668c
    SHA1: 5cb339ba2c7c8fe60d5209c8eb4fcfb1e9d21bbd
    SHA256:151f33ab653e98e9e75ea73d4683eff8d5265a1824d218ab9cddd34e7b5aaa4b
    Referenced In Project/Scope: OpenKM Web Application:compile
    lucene-stempel-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

    Identifiers

    lv.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/lv.js
    MD5: cb529a1758b0ba9c3851bbcddc9782b8
    SHA1: cd2b72b8c26902afe31445f8d32c9728a2da0dd9
    SHA256:83a9461c5b34565faaa435bd5badf9c1b2a58ed7f7934ee5c96df6505dc4f091
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    mark-selection.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/selection/mark-selection.js
    MD5: 507aa55d1fcd70b91dcb696dc3bd778e
    SHA1: 0b029851289274525d4a3cfa8824a6eff37bcb4b
    SHA256:49d41cf838dd1d4969097ae99eb5955c1c85785f0ce20f0f9f13c50ff3e5b729
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    markdown-fold.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/markdown-fold.js
    MD5: 6c40139c3c6a06a7c7d6fedde26dafeb
    SHA1: 3c8168603eb44850e0e55b0ba322303072d7635c
    SHA256:af715924a218cdf9a96b5341eebf84fd51576857a992f86dfadd3053a1a4e270
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    markdown.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/markdown/markdown.js
    MD5: 755d1507d859de315845f643d7a15c7a
    SHA1: 47e834eff7fc5a17ebd452f7619e52f53fc728c1
    SHA256:59f0bc7c9ce9af7ab6a7b0c36a3c58d143cfd294723d53990d622f60479fadd0
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    match-highlighter.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/search/match-highlighter.js
    MD5: 9453d57dd359fd804723e49c044d943e
    SHA1: aba65691de407adb2dcfbab92d3ebbe9655bc28b
    SHA256:44ef08ac13d37b7d83a24c58d871634cb5325b7ba638f89a9293cc93f4f3b0bc
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    matchbrackets.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/matchbrackets.js
    MD5: 7161292fcb7991bc001216f1ff4660cc
    SHA1: 0c385be2fb0992ccc5e331fb7e24636cc5d6df28
    SHA256:514db3a9f1838a22983454162a47e9e3efba3e037ff3f688a3ec9148b3695d9b
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    matchtags.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/matchtags.js
    MD5: 4b0b6b3278dd26ee7de91fb57a746f2f
    SHA1: ac8d4795090ac881d9a3a9e83962526fd7692b0e
    SHA256:f0486606ef875ae2c6b3eefd4c01ff9ea8020bdfc72163911f84612f054e9592
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    mbassador-1.1.10.jar

    Description:

            Mbassador is a fast and flexible message bus system following the publish subscribe pattern.
            It is designed for ease of use and aims to be feature rich and extensible
            while preserving resource efficiency and performance.
    
            It features:
            declarative handler definition via annotations,
            sync and/or async message delivery,
            weak-references,
            message filtering,
            ordering of message handlers etc.
        

    License:

    MIT license: http://www.opensource.org/licenses/mit-license.php
    File Path: /home/vaclav/.m2/repository/net/engio/mbassador/1.1.10/mbassador-1.1.10.jar
    MD5: b85f208787fda54300adc3b4a789a3e9
    SHA1: ca527ef1806b999b1efdc54ad62ec4984c59fefe
    SHA256:c9371e6712c8875b4e4f81c5d20c2a3bfd99913ad312dffa5ebb25300cf5da83
    Referenced In Project/Scope: OpenKM Web Application:compile
    mbassador-1.1.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

    Identifiers

    merge.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/merge/merge.js
    MD5: 108249d50e4ff8b3fc6b709b8209c902
    SHA1: fa30f595abbd0e9caff4a74d9be2c05be08f262d
    SHA256:312b05ad5a1ed5cad0a4b0bab92ac328b5684de6e5e435b4d0a263acab8533b3
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    meta.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/meta.js
    MD5: 327ffd1122c292df9aeb47cf74fddef1
    SHA1: 5747828d7c47cb592a4ab17d74ae5b4f1b3dfd8e
    SHA256:6311055d60b81a21f8bf6e155cec08ff3a02eb692cda3cfea349cc4d09835ab7
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    metadata-extractor-2.4.0-beta-1.jar

    Description:

    a general metadata extraction framework

    License:

    public domain: http://www.drewnoakes.com/code/exif/
    File Path: /home/vaclav/.m2/repository/com/drewnoakes/metadata-extractor/2.4.0-beta-1/metadata-extractor-2.4.0-beta-1.jar
    MD5: 6e0ad2f0fe78047cb34ec056b39633d3
    SHA1: f1c0f6c2ebfbe2b11dd04559ad438728e4636d53
    SHA256:b65fddb758066fcf0c0750fa6007715fef11927ba90424159562527ecbe4dde8
    Referenced In Project/Scope: OpenKM Web Application:compile
    metadata-extractor-2.4.0-beta-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2022-24613  

    metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.
    CWE-755 Improper Handling of Exceptional Conditions

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: MEDIUM (5.5)
    • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2022-24614  

    When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
    CWE-770 Allocation of Resources Without Limits or Throttling

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: MEDIUM (5.5)
    • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    metrics-core-3.1.2.jar

    Description:

            Metrics is a Java library which gives you unparalleled insight into what your code does in
            production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
            components in your production environment.
        

    License:

    http://www.apache.org/licenses/LICENSE-2.0.html
    File Path: /home/vaclav/.m2/repository/io/dropwizard/metrics/metrics-core/3.1.2/metrics-core-3.1.2.jar
    MD5: b8b2de75247322a0c037420f5708e592
    SHA1: 224f03afd2521c6c94632f566beb1bb5ee32cf07
    SHA256:245ba2a66a9bc710ce4db14711126e77bcb4e6d96ef7e622659280f3c90cbb5c
    Referenced In Project/Scope: OpenKM Web Application:compile
    metrics-core-3.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

    Identifiers

    milton-api-1.8.1.4.jar

    File Path: /home/vaclav/.m2/repository/com/ettrema/milton-api/1.8.1.4/milton-api-1.8.1.4.jar
    MD5: 9ccf7c67fb4fde0df82e832172ca8437
    SHA1: af352cf80691fc16800808baf525ce46ee6e7941
    SHA256:93a36cc0aca128ff251e6ef4d5eb2588454b9800bdf5efa182367cd319ec780a
    Referenced In Project/Scope: OpenKM Web Application:compile
    milton-api-1.8.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2015-7326  

    XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
    CWE-611 Improper Restriction of XML External Entity Reference

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    milton-servlet-1.8.1.4.jar

    File Path: /home/vaclav/.m2/repository/com/ettrema/milton-servlet/1.8.1.4/milton-servlet-1.8.1.4.jar
    MD5: cd0ae3a0fb9bec20812024a334148945
    SHA1: 843132e771a7873894e9098ffa1a1a0822c67c19
    SHA256:b83dc77464c12abf023167a1dd5d3760fe3cbfc5e4b4b3d84a24178380d05d47
    Referenced In Project/Scope: OpenKM Web Application:compile
    milton-servlet-1.8.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    • pkg:maven/com.ettrema/milton-servlet@1.8.1.4  (Confidence:High)
    • cpe:2.3:a:milton:webdav:1.8.1.4:*:*:*:*:*:*:*  (Confidence:Low)  
    • cpe:2.3:a:web_project:web:1.8.1.4:*:*:*:*:*:*:*  (Confidence:Low)  

    CVE-2015-7326  

    XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
    CWE-611 Improper Restriction of XML External Entity Reference

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    mime-util-2.1.3.jar

    Description:

    mime-util is a simple to use, small, light weight and fast open source java utility library that can detect
    		MIME types from files, input streams, URL's and byte arrays.
    		Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
    	

    License:

    The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar
    MD5: 3d4f3e1a96eb79683197f1c8b182f4a6
    SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
    SHA256:7512022ecd4228458a0ab456f9fcddac21f0759f1b07100c3528174eb63bdcaf
    Referenced In Project/Scope: OpenKM Web Application:compile
    mime-util-2.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.ettrema/milton-api@1.8.1.4

    Identifiers

    mimepull-1.9.4.jar

    Description:

            Provides a streaming API to access attachments parts in a MIME message.
        

    License:

    CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
    GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html
    File Path: /home/vaclav/.m2/repository/org/jvnet/mimepull/mimepull/1.9.4/mimepull-1.9.4.jar
    MD5: c2d46f041ac535d98ff32169beb5468d
    SHA1: 6ffca64fe0209a94c5a973a32e93b5eae0ac384e
    SHA256:903d65a5724141ef25d7e4c98e041b868b0e2a4a43afd724509aee3153889358
    Referenced In Project/Scope: OpenKM Web Application:compile
    mimepull-1.9.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

    Identifiers

    mirc.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/mirc/mirc.js
    MD5: b159f0b7d6f933d706e75eb6edd2aef1
    SHA1: 9a4612d214c16a3e7bfc26d48dcf35a0cfbb991c
    SHA256:13c688e10ab849bc0a9268ff950fe16526820b15ac6534609150fff4009f9747
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    ml.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ml.js
    MD5: 45e75b84865446f15edcab41d33314a7
    SHA1: 59a4f4628dc954f152b20ccf8dd891c136c8530a
    SHA256:4c350934724bb70d19ecba49e559407a41d27ce9ee9a03faed8ecaa352d71dab
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    ml_IN.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ml_IN.js
    MD5: 9d5fb7ece346a98047b34b12e25255d9
    SHA1: 19214b56d959ca38aa41c51320eb091982219e72
    SHA256:734f4bd809fad57f09202df42ec6f090b9af87b93d667e829b90ff2b6ecdc015
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    mllike.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/mllike/mllike.js
    MD5: 731c2ed97f1e72887eb0ca47e3b18194
    SHA1: a03698747d40ce2ca0d31318b6ea5d8063787865
    SHA256:c997ce47982f887ba4dd264be84296cae393cef11ac72178aab0574765e7d896
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    mn_MN.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/mn_MN.js
    MD5: 90ff2a1ba6669c058c944332247ba4e3
    SHA1: cd761f3a7c171b6ab7ba1c9a19ff9b5e8e3a9a3e
    SHA256:ac4feea3e78431f5c4dac45abb1d4e086c3943df0ba1d29ab4143fa4a1c30aaa
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    mockito-core-1.9.5.jar

    Description:

    Mock objects library for java

    License:

    The MIT License: http://code.google.com/p/mockito/wiki/License
    File Path: /home/vaclav/.m2/repository/org/mockito/mockito-core/1.9.5/mockito-core-1.9.5.jar
    MD5: 6f73cf04a56eb60aaa996506e7c10fc7
    SHA1: c3264abeea62c4d2f367e21484fbb40c7e256393
    SHA256:f97483ba0944b9fa133aa29638764ddbeadb51ec3dbc02074c58fa2caecd07fa
    Referenced In Project/Scope: OpenKM Web Application:compile
    mockito-core-1.9.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.googlecode.catch-exception/catch-exception@1.2.0

    Identifiers

    msgparser-1.12.jar

    File Path: /home/vaclav/.m2/repository/com/auxilii/msgparser/1.12/msgparser-1.12.jar
    MD5: f81902a49613cfe7316fdbca41317c8e
    SHA1: 6fe3122ebd95914b5a546e6390aeb1e14d75d2c8
    SHA256:9a1f6ebfeaef46da25f430280f8c623f6c1e45afc120c46bccb408d810334397
    Referenced In Project/Scope: OpenKM Web Application:compile
    msgparser-1.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    multiplex.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/mode/multiplex.js
    MD5: 33ad8c8d3b016bc2935afdc223dc8ccf
    SHA1: 6f402341990dcdc0884cf432aa86f6a1d9eb3a40
    SHA256:0afbb4e3f601c50b773bdd677ab7e7e3b3cb04a776b4cd28936c11a3c52315f8
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    multiplex_test.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/mode/multiplex_test.js
    MD5: 9b495b24f2c22cc50dbb554a396f733b
    SHA1: f8e47b799fb9073f61903c943b00c984df618740
    SHA256:9956ae95af26db1e175c3ecbb510ede73849407941639de605fefd46adc18f21
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    nb_NO.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/nb_NO.js
    MD5: c106b632b91ed96bf59e57d3a3248fd8
    SHA1: 02718c5464ea30fe6747327662be70553c721093
    SHA256:efddb2470fe0080627326cbc336f68bf19928432c5d73268bc5904f8c269032c
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    neethi-3.1.1.jar

    Description:

    Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.

    License:

    The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/org/apache/neethi/neethi/3.1.1/neethi-3.1.1.jar
    MD5: 13dd27a2bd870dfb01d67a086a8c1948
    SHA1: 3a942a7921e66bb0081b16cf8f8a68e456b91de1
    SHA256:7f8c00d9bbfbaa97a97a461cdeadb20054b956acb7536782703ca5a9a330ff22
    Referenced In Project/Scope: OpenKM Web Application:compile
    neethi-3.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

    Identifiers

    nekohtml-1.9.14.jar

    License:

    The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.14/nekohtml-1.9.14.jar
    MD5: 48e909b5cab667a8718e6e322f5ce75d
    SHA1: 712d3d54f758c9f6cd33d954b0b963bdb27514d6
    SHA256:8ab048645c8faf73540475afb513d7354e1b6e0fcaf98bb842ab81605ef80ffd
    Referenced In Project/Scope: OpenKM Web Application:compile
    nekohtml-1.9.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    CVE-2022-24839  

    org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
    CWE-400 Uncontrolled Resource Consumption

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
    CVSSv3:
    • Base Score: HIGH (7.5)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2024-23635 (OSSINDEX)  

    AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later. 
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv3:
    • Base Score: MEDIUM (6.099999904632568)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    References:

    Vulnerable Software & Versions (OSSINDEX):

    • cpe:2.3:a:net.sourceforge.nekohtml:nekohtml:1.9.14:*:*:*:*:*:*:*

    nginx.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/nginx/nginx.js
    MD5: 95db8c4d095958979a2e3aa2f08ba493
    SHA1: 5f6ee414c04f6dea6cbd340c69691d8d813981fb
    SHA256:7a3a59ca08ace4d0954ba578c47d4e8aa474a31df3f765cd50f6209fe1bc37ef
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    nl.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/nl.js
    MD5: 208eae38f0efb03973ea89170be7cdd4
    SHA1: 09baea88f269c9ea1c8d50ce5ebfc664c97d4d18
    SHA256:f2f2b83927cfd5f9e26f08b1228417490138c18df12af324c7f8f0fcb318bd0c
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    npm.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/bootstrap/npm.js
    MD5: ccb7f3909e30b1eb8f65a24393c6e12b
    SHA1: e2b7590d6ec1fdac66b01fdf66ae0879f53b1262
    SHA256:c7aa82a1aa7d45224a38d926d2adaff7fe4aef5bcdafa2a47bdac057f4422c2d
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    ntriples.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/ntriples/ntriples.js
    MD5: 31172849c60958f569a7f394e3794b50
    SHA1: 26faf92f822690c2e14d6a211f2e943ef83826e9
    SHA256:bd438c03b0261982696b03da6d040acb5043a0d80cca1f20b0182859178987ae
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    objenesis-1.0.jar

    Description:

    A library for instantiating Java objects

    License:

    MIT License: http://objenesis.googlecode.com/svn/docs/license.html
    File Path: /home/vaclav/.m2/repository/org/objenesis/objenesis/1.0/objenesis-1.0.jar
    MD5: 1989c831f28c92fae9b333cf5c9f9926
    SHA1: 9b473564e792c2bdf1449da1f0b1b5bff9805704
    SHA256:c5694b55d92527479382f254199b3c6b1d8780f652ad61e9ca59919887f491a8
    Referenced In Project/Scope: OpenKM Web Application:compile
    objenesis-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.googlecode.catch-exception/catch-exception@1.2.0

    Identifiers

    octave.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/octave/octave.js
    MD5: 86dafc8a5df94ec96c8b44a46ca1d799
    SHA1: 89c62346b7213aac60bc5e5086e58823909ca75d
    SHA256:9dc20092362b90276f49b116dccfd51703af89a0ff5731638ec630e841a75938
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    odfdom-java-0.8.6.jar

    Description:

    OpenDocument Format (ODF) library

    License:

    Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/org/odftoolkit/odfdom-java/0.8.6/odfdom-java-0.8.6.jar
    MD5: 721eab6944ea0e1a63659380790b34e3
    SHA1: f8e2f85cc5a697619784f50fd2a086d51dcc78f3
    SHA256:b54ffce15aa8cb32e1652d97987648fb39ffe304c23563d9e028b6b997e0d596
    Referenced In Project/Scope: OpenKM Web Application:compile
    odfdom-java-0.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    odfutils-051129.jar

    File Path: /home/vaclav/.m2/repository/com/catcode/odfutils/051129/odfutils-051129.jar
    MD5: 8204cdb8f048ded10b2819f28fe668ab
    SHA1: 789ed4706def560c0a5877f164916d21eae627c0
    SHA256:420a340161eebbedeb735569f1921b7e801f5908212450e2727429a2203b82a9
    Referenced In Project/Scope: OpenKM Web Application:compile
    odfutils-051129.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    okm_mail_tinymce4.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/okm_mail_tinymce4.js
    MD5: 9a5e05de05eccc108faa5838c534f628
    SHA1: 9768da7cca740dac2a9b9ed43f479c983c65ae77
    SHA256:85f7b1191148afd5d6f4a9be6a0bc29ad9812345e343e641d388b6e1d125a096
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    okm_tinymce.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/okm_tinymce.js
    MD5: a2abc512a86e6f51d8a766b845f92bb9
    SHA1: 55ece1dacc760f074f6b41d57c27d9c6eaf22846
    SHA256:25dcfd383f0c740c986d4c205409d8709df976b7611572150c62883860bbf430
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    okm_tinymce4.js

    File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/okm_tinymce4.js
    MD5: 399d5a75228069faa9a8ca7137d0b278
    SHA1: eadcbf0c433219905c5d9b3d7849e2d374fbcd4c
    SHA256:ed7c0ff1115a73e527337958b8947f9da4932a9f5c65fdb3747f85bf624a1ded
    Referenced In Project/Scope: OpenKM Web Application

    Identifiers

    • None

    olap4j-0.9.7.309-JS-3.jar

    File Path: /home/vaclav/.m2/repository/org/olap4j/olap4j/0.9.7.309-JS-3/olap4j-0.9.7.309-JS-3.jar
    MD5: 6c33ba624b1c6c2b2f076fcf8438b762
    SHA1: b959e1e72a5ab17668609edb2949b09a6a51b82e
    SHA256:caa9a1c5c44fb809a9bd8456050054d07be18c990a4962cb9efa53902675eacf
    Referenced In Project/Scope: OpenKM Web Application:compile
    olap4j-0.9.7.309-JS-3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

    Identifiers

    omr-tool-2007.07.01.jar

    File Path: /home/vaclav/.m2/repository/ca/uwaterloo/a3seth/omr-tool/2007.07.01/omr-tool-2007.07.01.jar
    MD5: 1acef58ac151e9abacf249e2148b74a9
    SHA1: 4489a87ab36752119b9ee8c396f3b00303f5e74a
    SHA256:1a4938cbabc5886b408050519748687e3506b8579b4b224655dc8c085ca7b639
    Referenced In Project/Scope: OpenKM Web Application:compile
    omr-tool-2007.07.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-collections:2.3)

    Description:

    Extensions to the Java Collections Framework.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-collections/pom.xml
    MD5: 75e89aa33ba6584aaaad06ef17dd72cf
    SHA1: d51141ccbd05a36b3e421f3be305edd8c1991b2c
    SHA256:0e41e70738e7047d77f4ffdaa21f0de56a6ed44940b92e37d74d6ffe13064711
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-concurrent:2.2)

    Description:

    Extensions to the Java Concurrency package.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-concurrent/pom.xml
    MD5: f76fcbe0fd61b37d876f14a2fc7f4aed
    SHA1: 60f431fea01afbab445109d10c39a772c2d72dcf
    SHA256:4fb4d23872466b5dfe9a5b7cf182e9b16a54701bdf1563ea5ce2bcb4c1513e9b
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-i18n:1.0)

    Description:

    Internationalization and localization utilities.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-i18n/pom.xml
    MD5: f8b4bd56ec27e262180b73ff6390b98b
    SHA1: 9bcf01e88d109542e2a8664bf7a8114d868ef60c
    SHA256:4deb1c3afdec4ce0e0b89bf26f9b12e582ba326b64e697e2f3581931eacb5e8c
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-io:2.4)

    Description:

    Extensions to the Java IO functionality.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-io/pom.xml
    MD5: 519900e76a52ab2d9556f199de78090a
    SHA1: 658e2d7a5ea12264a5a424242fc602a74fd4cff0
    SHA256:61cd97eff2874a58dfaa6812c9aeba0d9d45dfb794952651901c8c55a5bf19be
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-iteration:2.3)

    Description:

    Iterations and iterators for various purposes.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-iteration/pom.xml
    MD5: fef3d68c1db8ac9859a24ff012d7c557
    SHA1: a3126695aac4eb43bb1eb49530aacd28298d6b29
    SHA256:a9804d6a5b865d633f69980cdf3b19cfb88a898bfcdffed752505f4e827262e9
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-lang:2.3)

    Description:

    Extensions to the Java lang package.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-lang/pom.xml
    MD5: 35b104751172d8b914d80ec8b9984e87
    SHA1: 7a6933b6e1e432d1d189c5e43f9e2e0f574d56ee
    SHA256:779a9fff64b747670130390958308a2126eaf1458fd4f54a9a9684869ff8e5b2
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-net:2.2)

    Description:

    Extensions to the Java networking functionality.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-net/pom.xml
    MD5: f5d5ab98098cfebe1724ed3cd74596e2
    SHA1: 33b24c463dc01fd62aa06e6f7ceb03acde53a3e4
    SHA256:29298b007e36a6d72f85cee9cc2fb76e38584b4bfc3e9f030527747e0609fd8d
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-platform-info:2.4)

    Description:

    Platform information functionality.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-platform-info/pom.xml
    MD5: b6339b50917d8fb8ecb92ab77b316756
    SHA1: dfcbd08294e486061acbc3e626e78b8007da6aca
    SHA256:7b5c5e907617241f4d945fa96e746f3fc5f36ff9544f1d925147ace742a831f4
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-text:2.2)

    Description:

    Manipulate/transform/parse text in various ways.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-text/pom.xml
    MD5: 1a1619a52cc28ff367c4fe3f7b50e5a1
    SHA1: 799e491d851d375c7de2f71985b6bd784783d53c
    SHA256:2207d18fa527a3313bdd2b680e0c2ce28cbe87d23cd4c24c2643448132593820
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-webapp-core:2.4)

    Description:

    Core webapp functionality.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-webapp-core/pom.xml
    MD5: 36b9e5d310f1b247adc66f0fb2941954
    SHA1: 6967ae43dc794be5300f648690e820a68bdb62cd
    SHA256:027314bd55c9cc7162ede07399e4ab9231b9dc3e606e9a9b17b051d7cc84c484
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: info.aduna.commons:aduna-commons-xml:2.2)

    Description:

    Extensions to the Java XML functionality.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/info.aduna.commons/aduna-commons-xml/pom.xml
    MD5: 5e21a999506184145d3d0821d0bc1451
    SHA1: 3a0b537f9bc67483efa6600ea292770dae66af7c
    SHA256:66982480315188d416df20cbd51349ce1e0b36f17ff1366470de286631fb1955
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-console:2.2.4)

    Description:

    Command line user interface to Sesame repositories.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-console/pom.xml
    MD5: 6fb1a0894e077fc801abe28923cc262a
    SHA1: 0ab5ff912198af61f4c18b0e3ff048cf2375fbde
    SHA256:a63ffdf656f1c8a9cc6fe73b9616f2b9fc4b1ad2abfbef2d302d661c1109c316
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-http-client:2.2.4)

    Description:

    Client functionality for communicating with an OpenRDF server over HTTP.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-http-client/pom.xml
    MD5: 288b536c0c9878b0e792db9c23e22716
    SHA1: b806599580fdcea15e86b017f3daf7ffb2f3c56f
    SHA256:7f2363fde37a6081a718a444e5f7d9a54f0743efc82225ef45745d3357f2da45
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-http-protocol:2.2.4)

    Description:

    HTTP protocol (REST-style)

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-http-protocol/pom.xml
    MD5: ca57f85dfd3af0573c01bf9d7c50820c
    SHA1: 5d31cda7ac2615416bc9a2ea1af5de2b4f6e997a
    SHA256:9b49ca4dc8d51903ac2eae3cd0172bd3018cab40a492b2fb337d1673bffa95e9
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-http-server-spring:2.2.4)

    Description:

    HTTP server implementing a REST-style protocol

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-http-server-spring/pom.xml
    MD5: 8a8bd8f0deeb4e46c530724e10f5f822
    SHA1: b27e8b5158b67087fbdb23ec5cc32058b0a58d40
    SHA256:0ff8655f9a5b51990ddf584eb0065e304ddce0c56460953049bd81081b6bd3df
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-model:2.2.4)

    Description:

    RDF model interfaces and implementations.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-model/pom.xml
    MD5: 4bb6fd1c3f16bee45338829a22397dc1
    SHA1: ca001d484a79f946f7a75e67f6310ea03b182c47
    SHA256:7126ef3f2b3a2dbfc26fc7bfc0f3a664ce649f8c2747fb19e62a2fff037cc4ed
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-query:2.2.4)

    Description:

    Query interfaces and implementations

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-query/pom.xml
    MD5: 1baa1f09b704fc7c1795025a60714f58
    SHA1: 34919bf5be1d8da6ee3ffa265d234ace42035051
    SHA256:6553b6cb95382b1123eff13106133ee5ed85618e1d53b5ffeb6221acfc335f66
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryalgebra-evaluation:2.2.4)

    Description:

    Evaluation strategy API and implementations for the query algebra model.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryalgebra-evaluation/pom.xml
    MD5: 3080a05e97a745033169b8d9cf887048
    SHA1: d8712de4eb0476d6c7b3bc9b1ee85fd2d9407052
    SHA256:da3a1e5184d3c0d27351f6d47ee7c08a052b9eca9da9b9c97d8e2420eaded933
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryalgebra-model:2.2.4)

    Description:

    A generic query algebra for RDF queries.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryalgebra-model/pom.xml
    MD5: ef1f53459c94eb4f69ef73428a6bb02e
    SHA1: 04c97d8268fd149713602595be7c8e36263e1612
    SHA256:27ae61f2b55b817f979054e88ff4c52a5e07de63d5cb16ce65942cf7f930170b
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryparser-api:2.2.4)

    Description:

    Query language parsers API.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryparser-api/pom.xml
    MD5: b74666e5436317ce08f68d00838d9828
    SHA1: d152644c80bdb8bad35a1b8bffe87b60e411c245
    SHA256:74f43ab35ab991b2ea4bf9a2bb3312e3f88b65a22c2d8339fe82f2ecbec5c158
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryparser-serql:2.2.4)

    Description:

    Query language parser implementation for SeRQL.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryparser-serql/pom.xml
    MD5: fd923000438c2a00fbbc6ec2bb6e1955
    SHA1: 60a2be50bd5ad4d4a3f7bf668c79616e6bbe7b1c
    SHA256:8f5341d1a6cebf54f01feb8d7d48ed373aa6a8d6cfbaf1e2845ffcf8145283cc
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryparser-sparql:2.2.4)

    Description:

    Query language parser implementation for SPARQL.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryparser-sparql/pom.xml
    MD5: 26670a247c9dd580e814edfa5cb8e0ed
    SHA1: f9d30ab73732fd73cc244404e2def1700e27c55e
    SHA256:3b58de2bf3c0f3033aa3a27b9350c109fc20e224a88655ee3a62ee77c5b22513
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-api:2.2.4)

    Description:

    Query result IO API

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryresultio-api/pom.xml
    MD5: 258dad5f0e930c5f7ffd8dee45db709b
    SHA1: 6665b323eaf108115b821b9708a4daa07c6d1fe7
    SHA256:cbf9a24239fd6c1aaa6fd96a21125547882bda58258992307f263e8ecac83fae
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-binary:2.2.4)

    Description:

    Query result parser and writer implementation for OpenRDF's binary query results format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryresultio-binary/pom.xml
    MD5: 30a8bd3fb8e97874d176abe403562852
    SHA1: 3af84a7bfecb3b5ace06e0307e821fd62bd79e1c
    SHA256:e7fab92285d7174e7da48178265a72c85d6c69e3f861b6cb5ff03a4a9a25b5be
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-sparqljson:2.2.4)

    Description:

    Query result writer implementation for the SPARQL Query Results JSON Format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryresultio-sparqljson/pom.xml
    MD5: 3d786d36e3c2adeb3d6e22cb5c4d26b8
    SHA1: 0cf175ad088e86f8e9d34e4b56dad31e9a955976
    SHA256:2e61f384d9466df718db36d3dbc7d31da591ccd280198cf8ce7b4358ffb24bd1
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-sparqlxml:2.2.4)

    Description:

    Query result parser and writer implementation for the SPARQL Query Results XML Format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryresultio-sparqlxml/pom.xml
    MD5: 502d539a0fd14bf42c8a9585357ef37e
    SHA1: 08991fa02bbbe2f8ab2f536594d10bbaafd6a0ea
    SHA256:2837088d743c8b5be129df3870109145a2a28d80419b3c26ffb3ceecebc89a9d
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-queryresultio-text:2.2.4)

    Description:

    Query result parser and writer implementation for OpenRDF's plain text boolean query results format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-queryresultio-text/pom.xml
    MD5: 53a85975d99e9dfb89fe7ca28cb827dd
    SHA1: 6a259fafc5a74630f83b64c3b4bf136d96637a53
    SHA256:2377108b6788887ef445db4a545f11b3d589031da9eff4c07888a821842ee8b6
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-api:2.2.4)

    Description:

    API for interacting with repositories of RDF data.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-api/pom.xml
    MD5: ee6a2387c2af40744fb7cfb16f9e1029
    SHA1: 9a65051fbf1a76d64c9ac1eabc794327922240b3
    SHA256:6f4196c64f0210f56a85549d26217ee1eddfb6b897c4c841d095f7873f1723bd
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-contextaware:2.2.4)

    Description:

    Implementation that allows default values to be set on a wrapped repository

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-contextaware/pom.xml
    MD5: 66d4eb63b98828be3286109e5809f7de
    SHA1: 48cf00bbbb81ad4a71646112b30901678028af62
    SHA256:77e094db825d2f3936e48adbdbe44163a9393c83bc10ebcb023c8d48d257a704
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-dataset:2.2.4)

    Description:

    Implementation that loads all referenced datasets into a wrapped repository

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-dataset/pom.xml
    MD5: 78746d5e91d0b292ed75e967ad1dfbee
    SHA1: 794e54ebb51043d27484da75de4d9048ab4c1bd5
    SHA256:fc979533faf6910e83649d0dd85996226389bfaf1547fb482071f7dee8e89d2f
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-event:2.2.4)

    Description:

    Implementation that notifies listeners of events on a wrapped repository

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-event/pom.xml
    MD5: 79fd5b45736e9799fb4ffa7993590c56
    SHA1: bb34025bcfc94ee9b7423a6e821723eb225d69b6
    SHA256:1097f6ffe90002cb9a72bcc23b27644ed59f4a1b73c0797c4e35d7b646a78936
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-http:2.2.4)

    Description:

    "Virtual" repository that communicates with a (remote) repository over the HTTP protocol.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-http/pom.xml
    MD5: 8e1d0c898da2e055b01243defc6fcc3a
    SHA1: c16e21a8d3eacc9c5118e442b62bd8a8c3a8a2aa
    SHA256:63c0a9f6384117157bf6b6f270400077f8f479ccc7c93138e26e7e97f201b3e8
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-manager:2.2.4)

    Description:

    Repository manager

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-manager/pom.xml
    MD5: 649f9498e0b89fdc5878d5036e56b53a
    SHA1: 73f6fe9d8de2d340ffa481fb899648b72c3084f8
    SHA256:58800ea5861af38063d928fa33a544a5694983d7fd7c3b82fcf1f43d295878cd
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-repository-sail:2.2.4)

    Description:

    Repository that uses a Sail stack.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-repository-sail/pom.xml
    MD5: 52808ed414559472a62c8eb47180ccec
    SHA1: 3625074bf4d4d5486caf73328216951cf03696d4
    SHA256:2ffcdca355237b8bdbd1c817ae9961b608480f2be9d22ff87a500b7d2789d1c1
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-api:2.2.4)

    Description:

    Rio API.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-api/pom.xml
    MD5: ce9af14125af34e38906c173499b8437
    SHA1: 856772b92e88eddae41a2a72ed1a739263d89290
    SHA256:750fd5598ba6d3744cd2982a5ce68a67fe888baaef5c3342c96ed57a719ef6c7
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-n3:2.2.4)

    Description:

    Rio writer implementation for the N3 file format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-n3/pom.xml
    MD5: 41cd6e66d93c9efb2a5b2a1c638b0ca4
    SHA1: 14ffbfbc06af798578ca22036fb1343ad26456fb
    SHA256:1a2f46d855ab603901d90eb0585bcf9c65c288781d09bda3706f51a3724ac4cc
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-ntriples:2.2.4)

    Description:

    Rio parser and writer implementation for the N-Triples file format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-ntriples/pom.xml
    MD5: 9051bcd3e714d19e1ac2191712b307c9
    SHA1: 621881d0a0b4f61cfd4de36049dd404edfb4dad0
    SHA256:b9dc3e4b3581f10d11c10cbd0b27335a486b6ee91d3c3baac9a88ab9976f7c0d
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-rdfxml:2.2.4)

    Description:

    Rio parser and writer implementation for the RDF/XML file format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-rdfxml/pom.xml
    MD5: d7e453cd43caeca7fc4f2927257e017f
    SHA1: 8fb4fb3a1a4fe8359ead169d97566851ab9052f2
    SHA256:bd72694841145444c2f3316038d218d2f800b7ef023e46453a6b0596c71e1e7b
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-trig:2.2.4)

    Description:

    Rio parser and writer implementation for the TriG file format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-trig/pom.xml
    MD5: a27128a58221bf9c59e0d7badcb5f3c6
    SHA1: c1d4c748f4755f19b239b0ac25883d51fcc65e70
    SHA256:7f137e2a01a9bb4045c3ea23b85da59b787363c9caade69ad47648033355108a
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-trix:2.2.4)

    Description:

    Rio parser and writer implementation for the TriX file format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-trix/pom.xml
    MD5: 680882e3523cb47985e430291d73b115
    SHA1: 2854d463fdbc9f56af844387328ea0f9d2610452
    SHA256:3f50f0a80a699f46691f33fa811b80aa477194874fbf58a78684519c5d2f088d
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-rio-turtle:2.2.4)

    Description:

    Rio parser and writer implementation for the Turtle file format.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-rio-turtle/pom.xml
    MD5: 4c1060cd90101c370d58d9756c89bfe0
    SHA1: b07f8af2ea53b0d221583d7329ec7a48fbb96560
    SHA256:a9e71a796e7a32612e40f91fa36df7c163cb117adac02463faa8a0171e978566
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-runtime:2.2.4)

    Description:

    Runtime dependencies for an OpenRDF application

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-runtime/pom.xml
    MD5: 0f08005261583a662c46933b8ba1c90f
    SHA1: 6ce2ee93545d35c59d903b87a87ed61840368685
    SHA256:24d0d943e51b0d870f03b1961bee1210768eddc8cfcf01b5fddb683118787dd5
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-api:2.2.4)

    Description:

    RDF Storage And Inference Layer ("Sail") API.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-sail-api/pom.xml
    MD5: 8ab4211f416fe9d2019960449907057a
    SHA1: adb3f103799539a76c05dc7d96b3977e3fdac514
    SHA256:cc0382b4034efa5c9ce0d6571fd431c944572d230cd7d6469feb06ea7ef1fa1e
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-inferencer:2.2.4)

    Description:

    Stackable Sail implementation that adds RDF Schema inferencing to an RDF store.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-sail-inferencer/pom.xml
    MD5: f82f772126dc1c988ebaa4ae8f281ab1
    SHA1: a98e93ec4cee4eff5d3eb1501a8f7032b6da38ee
    SHA256:82db14e474f764f54b0b58f2f1dcba2604ba2f914f97808da8222188f4155026
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-memory:2.2.4)

    Description:

    Sail implementation that stores data in main memory, optionally using a dump-restore file for persistence.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-sail-memory/pom.xml
    MD5: e25baa12d0d79130c2fd1ddca2faf80d
    SHA1: 09714986b142f3908c212c3efad4df5a026ff4a0
    SHA256:dc734808f1510f25925cd09f6f79968332d07937aadbd480b03a2223baf98163
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-nativerdf:2.2.4)

    Description:

    Sail implementation that stores data directly to disk in dedicated file formats.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-sail-nativerdf/pom.xml
    MD5: 6abecc88d9dc54b244a42be97c7dce60
    SHA1: 43c7e1fc7e625dd9680dd8197185dd0451d4339b
    SHA256:10021845126d78fbf9b70e02bce09be47ff1c882ddbac69824ddbf45f7faa0e5
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar (shaded: org.openrdf.sesame:sesame-sail-rdbms:2.2.4)

    Description:

    Sail implementation that stores data in a relational database.

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar/META-INF/maven/org.openrdf.sesame/sesame-sail-rdbms/pom.xml
    MD5: 60cd58964f1409cdd2eba2d26bdad10a
    SHA1: 5c9127c8edc69ca04d2065b376b343cacaea3c42
    SHA256:12df7351eeb6e31bb5401c38a1b377b6d079676b367a0984f5ce5e69c2d40355
    Referenced In Project/Scope: OpenKM Web Application:compile

    Identifiers

    onejar-2.2.4.jar

    File Path: /home/vaclav/.m2/repository/org/openrdf/sesame/onejar/2.2.4/onejar-2.2.4.jar
    MD5: 53e4e9a1b84557d3d8c2c0ed37e742be
    SHA1: 15ac9626ce3700377bf31477e61ce6fc71885571
    SHA256:7d38d76027e0fc5fac60ae93cad07b5f5bd84d9bce7de281277a035eba163901
    Referenced In Project/Scope: OpenKM Web Application:compile
    onejar-2.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

    Identifiers

    opensaml-2.5.1-1.jar

    Description:

            The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language
            (SAML).
        

    License:

    Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: /home/vaclav/.m2/repository/org/opensaml/opensaml/2.5.1-1/opensaml-2.5.1-1.jar
    MD5: 1d7b3adc3f43fca064ff44faaf3e21bb
    SHA1: 9736dcbe852dda3ce263a9c6e33579cd5af203e5
    SHA256:dbbcb9c9030312255b754a6154f1483009ec9637854a7de943d2682a47310f31
    Referenced In Project/Scope: OpenKM Web Application:compile
    opensaml-2.5.1-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4

    Identifiers

    CVE-2017-16853  

    The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
    CWE-347 Improper Verification of Cryptographic Signature

    CVSSv2:
    • Base Score: MEDIUM (6.8)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
    CVSSv3:
    • Base Score: HIGH (8.1)
    • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:

    CVE-2014-3603 (OSSINDEX)  

    The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
    CWE-297 Improper Validation of Certificate with Host Mismatch

    CVSSv3:
    • Base Score: MEDIUM (5.900000095367432)
    • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

    References:

    Vulnerable Software & Versions (OSSINDEX):

    • cpe:2.3:a:org.opensaml:opensaml:2.5.1-1:*:*:*:*:*:*:*

    CVE-2013-6440  

    The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
    CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

    CVSSv2:
    • Base Score: MEDIUM (5.0)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

    References:

      Vulnerable Software & Versions: (show all)

      opensaml-core-3.3.0.jar

      Description:

      Core

      File Path: /home/vaclav/.m2/repository/org/opensaml/opensaml-core/3.3.0/opensaml-core-3.3.0.jar
      MD5: e558149f017f5e7dd948658f76d7a44a
      SHA1: 6fac68342891abec3c22d53e14c706ba3e58918b
      SHA256:23485da0ab41c864fbaa23e09a6aa40507683f73a51d1258f16e4321df1f1a4f
      Referenced In Project/Scope: OpenKM Web Application:compile
      opensaml-core-3.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

      Identifiers

      openws-1.4.2-1.jar

      Description:

              The OpenWS library provides a growing set of tools to work with web services at a low level. These tools include
              classes for creating and reading SOAP messages, transport-independent clients for connecting to web services,
              and various transports for use with those clients.
          

      License:

      Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/vaclav/.m2/repository/org/opensaml/openws/1.4.2-1/openws-1.4.2-1.jar
      MD5: 8f84c09de5295c630e21febcdc09521c
      SHA1: c835fd5214632ed4befbca23dd42e062e80ceb85
      SHA256:bf0e2dbc0fd359b6d2c872a7d1b4c12e1e4f7f6eb6114801d6ebcaf8af7afca4
      Referenced In Project/Scope: OpenKM Web Application:compile
      openws-1.4.2-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4

      Identifiers

      overlay.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/mode/overlay.js
      MD5: 9db99d52d4b1dc3a8c2e5b96dfd32eb3
      SHA1: f5f72a46a0f3cb24a2beb83430e3d12bb964cbb3
      SHA256:9fa9deedf3280fa71aaf04aa5997e2476874530631fc881fc4ce4e2587949979
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      package.json

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/package.json
      MD5: b52e9f278f6be7fabf8d4d0fec392c17
      SHA1: 56c2a09b26318b7beb6a8a25bf6179d4312a48d0
      SHA256:02de9ca4523804234b2363ce7002fb84e1c4fad47a2898f923104b61e01169b1
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pascal.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/pascal/pascal.js
      MD5: fbf383b9b0ffde7859447522e9607f6b
      SHA1: e866eaca215e38658d8a8345f92cc7b9c8bd6b2b
      SHA256:b0a28a6107d3c26637d2e3baf8162ca93318077d24f4bb0b0453c7459d29fb70
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pdf.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/build/pdf.js
      MD5: 81cf49006e67302cd5d765dd5304e5ef
      SHA1: 149e75bb873897d116b31c51d6fc1adb11be6fe4
      SHA256:c304d9cebbdefca3bbe2db048abbc607e3b8975abdbbcca0200537df6969f215
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pdf.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/build/pdf.js
      MD5: 93d488c4f730f3b92505e05aa5bc3172
      SHA1: 2386e91a5e005936c3b534f04f6e5f902229d97b
      SHA256:13bcdf5e3f414c54cd5dcd7acd01c38814c18f6113252edcb42e1bbefb210bb0
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pdf.sandbox.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/build/pdf.sandbox.js
      MD5: 0353a8302c6acbc3071cd3479377bbb4
      SHA1: a65f6a0106fa2ef340f3d0b62fc990cc93ab24f3
      SHA256:b286b5ead5416ad94412f7c6c626db0680f4c17ef396cf5fe249ede962f77e1d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pdf.worker.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/build/pdf.worker.js
      MD5: 5fec89f3fde15545ba209f7118798791
      SHA1: 03821aa7790b9331f7dfbc008bb04a77ec0cb628
      SHA256:a26ddeda4de0fc1b77d0fc9ec019510a25441f2548e43d83bae5e8aace8467a6
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pdf.worker.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/build/pdf.worker.js
      MD5: 0a4fb858492fa329b56fd670b216b736
      SHA1: 276782b5763a7c8eeceb915d75f0c512327843a4
      SHA256:1fd4676cad2673d78d4cac077effa47942f01ce6094642bebc6abc724a4d924a
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pdfbox-2.0.13.jar

      Description:

              The Apache PDFBox library is an open source Java tool for working with PDF documents.
          

      License:

      https://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/vaclav/.m2/repository/org/apache/pdfbox/pdfbox/2.0.13/pdfbox-2.0.13.jar
      MD5: 91d98c9a48cb6e89a3a1eeb4294f2665
      SHA1: 389abca354e682d65e500c57856b75130d015e77
      SHA256:a373578f0efe7411e1c63181512bbb93f9eb528dd9c05655986ca5e372fe3634
      Referenced In Project/Scope: OpenKM Web Application:compile
      pdfbox-2.0.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

      Identifiers

      CVE-2021-27807  

      A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
      CWE-834 Excessive Iteration

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (5.5)
      • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2021-27906  

      A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
      CWE-789 Memory Allocation with Excessive Size Value, NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (5.5)
      • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2021-31811  

      In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
      CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (5.5)
      • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2021-31812  

      In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
      CWE-834 Excessive Iteration, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
      CVSSv3:
      • Base Score: MEDIUM (5.5)
      • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

      References:

      Vulnerable Software & Versions: (show all)

      pegjs.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/pegjs/pegjs.js
      MD5: 4d389ae83006d3851b6f407341756b55
      SHA1: e473d5332c8e536806c17648eb0b8d6762c63446
      SHA256:46ec8ef3ae56a568954c8062a6fa78d76d345215ae93d05e18900647ffd734d5
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      perl.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/perl/perl.js
      MD5: 2a939d012c58da9a748515f47f92b65c
      SHA1: e8e98ad85af974e44d5cd25ac04ba313ce258f14
      SHA256:a755a93edcc3e02ac21440909b605cd9d00da24636aad8e1af897060770c908b
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      php.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/php/php.js
      MD5: a0764da08e0d5581fc9b1fb8607ed584
      SHA1: 1ecf2701c983434752ffa9301e0ae4ac9a97d86e
      SHA256:876af57b49ff9930eced74e3c0f72aeca1fd994deaf86c30a5860a14c9c006c0
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pig.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/pig/pig.js
      MD5: 73b355c294616f46a678e0c6c2ba8111
      SHA1: 36a19f25f889035f1db4f7155bff30e26de8aefd
      SHA256:996a096b2dd30570fa678b16f8a802843ae04786564dd10cf5714a7ad4a172c4
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      pl.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/pl.js
      MD5: 8cfca9822e9d0366f55ff09bf301d893
      SHA1: 248889ff5dfdd996065ce8cd55aec10caf75f1ba
      SHA256:1fa8e11bf6eda8624c13e9fdc3bf53015601768a7c0dc0e7942ba62c925496df
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      placeholder.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/display/placeholder.js
      MD5: 61ed0cc4d000f3dee5390e8111797d80
      SHA1: 7af480851e1c3979926f60a77ea6e36f88938a8f
      SHA256:857ffa6a2da4591c38c3380359fd6be362f089190374a69a44e4b18660fb1b75
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/advlist/plugin.min.js
      MD5: 6d203268ff6a5d95cdffd26dd3f6df76
      SHA1: 2dea2e8b7ff9105336fd25b1c806c5a606700457
      SHA256:ed03753f856b75361c96d4c09f1f69503fd5e9ef6bf17b81bbdd10c0b4b65bd5
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/anchor/plugin.min.js
      MD5: 25917fb0c34e22440af7f5814b8744af
      SHA1: 0069acafb2ce1b8db76d6b95ebc8ac7b50e4bcb4
      SHA256:c8b1b31717dfcc1e23e499ceb48673972d7b4048d2c2665dbfee3a1470791a63
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/autolink/plugin.min.js
      MD5: d3f8d3767cd94dbed5e714f510d1866e
      SHA1: bdcc52e2998616f17edde223ef301f922ebb9fdb
      SHA256:65b7dd2e8c7e43f4dca681ed0046cf9a7ef936ba2bac322293501e487f5a282d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/autoresize/plugin.min.js
      MD5: 259de19c7495767e92dec10636da77b0
      SHA1: 88e1303a6a59898a506643c56140419a9e83bef8
      SHA256:115f209eb0d74ee8ba336af5da1de90da3f80bf01714c59d1516abc75ee09482
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/autosave/plugin.min.js
      MD5: 4dec5af212b093dd999c9f823138b645
      SHA1: 16db5893d5965e0575b5cd77b1d48ed1423f0ed6
      SHA256:f383956470d386011b9b5670b2180f11e91149e84fa28a19484ae6f493391bb1
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/bbcode/plugin.min.js
      MD5: c0659a68f5de69f1b1632b73a2c534cc
      SHA1: b3658b1fdccdf61bb2f191470b06392aab77a536
      SHA256:2870e899d5cf02a1a82187b8a647a0d0daaec2f9811193547dd650909f9382bf
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/charmap/plugin.min.js
      MD5: ac627e9017143d091eb11ab6cf1ee68b
      SHA1: b747b4b601432983ebf7d5d090071bf29994f94f
      SHA256:49587e8bbf1f94017364818a845a3a4462f49fe4229d291aaafb6b44d6b39cab
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/code/plugin.min.js
      MD5: 96c43004c75f30ec4d04acb9ac40cb37
      SHA1: 6ef45e5c18feb4c2406f8c7a28eae34d4ab1a053
      SHA256:d32445165313980bc57839df2fa01027a9308cb014cb839410db5f5969219542
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/colorpicker/plugin.min.js
      MD5: 1581bb02286f54b4fb0cce52d2ef61c7
      SHA1: e686620051b5d7f533ab6f813063ac604d9d262e
      SHA256:02eb6d55dc132f735d9ab8ef11259b2e25f0dd2ce157dce681d74b7307fb0ac4
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/contextmenu/plugin.min.js
      MD5: 7e934aa155cfa1a906f53f6fde407f8a
      SHA1: 1efe6588e5f4417ee7f5c26e1d7acaa5d59fe2ba
      SHA256:a5238c4a8852f7b071c7a25fb4209e86a0a16a4477543f5bade0853c866b76bb
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/directionality/plugin.min.js
      MD5: 60de57253ca9143a6f1e4aff10fc39d2
      SHA1: 26131f3f28f9f931e9ea0a8e5f1ef007706f3fc4
      SHA256:fa1798550b63291ccc9bb67dbc71e857991eacbfb18095458e992d6316b714a8
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/emoticons/plugin.min.js
      MD5: 5765b009c97598ad485fbd571b4c299a
      SHA1: b9769dd1dbb31f3a676c262d8f34cfdaabdac21c
      SHA256:a7c74ec69db8d8a53c027eb482ed09cb67fca1ea0b6b5422d864ff4af898d540
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/example/plugin.min.js
      MD5: fd84cb88e227c48e5c63cc84abeaed68
      SHA1: 296bb1093117ac72789fb569ae9bc58afefce56e
      SHA256:4abac3a744202bb8f0b08fddf719274b7268ed84a78ab0457a71206d1b7337fe
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/example_dependency/plugin.min.js
      MD5: 8751593f8a00cc41f908aa4dc5f8c938
      SHA1: 542cfcc2e403635375337eb796866f4f215cb3f7
      SHA256:b34159ea7a4f528369cef895f67eb5be0d293e5f16fb661f01de71b1c22c0e1e
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/fullpage/plugin.min.js
      MD5: c7deb7a49ed4ea4a4ec5556cf7c48f41
      SHA1: 8cb06f65beb1374bc42fb65b808abc8df16dd94c
      SHA256:2d27fd6eff55c587623bfc813cd00780a4a91d982a254a28bd9f513e97e468bd
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/fullscreen/plugin.min.js
      MD5: a7a67d1de1a0330fc7769d384a6564cc
      SHA1: 8f2c4fc413526d1353c45a5bdc354812785c9439
      SHA256:8493434d9d4fe38beeb02b66ca63a3cfa1b204c4afde4fc76a3e0bcb6136ef63
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/hr/plugin.min.js
      MD5: 5c23255ad2d11db3f72c33b649f1389a
      SHA1: 6a305889f4b3e54a46d82c37d1e782bebc78185a
      SHA256:1880a72526a3788c1483b4b3403d5510c501e985cbb4421ccebe1065b5ec2c6d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/image/plugin.min.js
      MD5: aa1f3a90e6a46868d4fe85ca73dcf7ee
      SHA1: f72801281196df1233f2dc9f9abb79f2daf54e8b
      SHA256:9a51a338f96fe0fd2f97f622ab5b48723e2c377c13e2680ec7789b239c58e179
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/importcss/plugin.min.js
      MD5: 46010d328fee5d680f92277de734ae0f
      SHA1: 494c5b8dbaba4de5ed2f87bfa8603a32ed57fd56
      SHA256:bcc827f4db1f3c157e50ce206a67c0438f6a40660f2a87fbb972148b7e269007
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/insertdatetime/plugin.min.js
      MD5: c65e3d48af19c32bdc45fff669e62048
      SHA1: 146c52f4b7d57460be1797471c4ba102b3dd6ada
      SHA256:09c99ac2b89a7a30ca8d4892bfb24d38ebd5425ccae3e9b11ca928194ab8b36a
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/layer/plugin.min.js
      MD5: 3828a4555da924b1e7a387b799a4e429
      SHA1: bec469242bef5acedd8729b6a8161238d4015949
      SHA256:53fd6853bcd687e326292c404a00b4a088672ea8122d896c7e19f89798cfc9f0
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/legacyoutput/plugin.min.js
      MD5: 0c5c208d997854cac387df94d9d86250
      SHA1: afc16b07074d50566643cf7eeaca3d6592e9f6f6
      SHA256:10856e9c8df86168e6e85e2062a439fa5964d073a2aedcbe5a03f8193df6ee34
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/link/plugin.min.js
      MD5: 99f908cfad07c36e0c7bfedb651a60dc
      SHA1: 4b18374ef13a620a935a429ecaf6a932d951ccae
      SHA256:dc0027d88edda25a35c635a651b15d231cfc3aed326f3b15dcfa283b5cd57faa
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/lists/plugin.min.js
      MD5: 279a5b0bf93f8d81288dfbd117b6c77c
      SHA1: 6cf9310f71a8af782612f987c45070f7d4fb8896
      SHA256:7ff40471acbae78157df0e7feba0f9a89cc6e193509a1280729fc2aeb562f103
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/media/plugin.min.js
      MD5: 54b12794da9f72eba7a1b7c742eef081
      SHA1: 8bae182be0fbd80a1ad8f944ba3436580492a26c
      SHA256:9f5083ba1f9a2a3dd620785cf2888c29235776ab587791fa17cffff85ab5060d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/nonbreaking/plugin.min.js
      MD5: 57e70fea5eafa39e96baef5e3a161345
      SHA1: 59884f75d3e2bc6c1f7ed7867004a998a92bfe7f
      SHA256:657a112a9941c4ea4e7c574b011797ac332dd8880b1f9a3a33b679e971448adb
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/noneditable/plugin.min.js
      MD5: 1a4898b56ff60e263e03365b230d0bff
      SHA1: 6962c443008dc0103823b3ccf62ac9c4a73626a6
      SHA256:2a3e9fa3296494b594a9bfa948372372617ee59f9fc93ebb4a2a27dc57a3f76d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/pagebreak/plugin.min.js
      MD5: cb83a44a5067ea5772946b408d78199c
      SHA1: b28c2bb852de15457c66d34036b036061e0f6605
      SHA256:0ee22700c2228ba9758ceacfb36cb662f39fc64b75f350127eb7bb727fca866b
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/paste/plugin.min.js
      MD5: 720418167ced7d4e1633fb64ba3d390f
      SHA1: ef47b96c54156804e045519d932bc7058d37e710
      SHA256:25683be105faf23cbdf34bbaae760476b5cb6061f360b54535ea171bc94ae79d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/preview/plugin.min.js
      MD5: 9d70ec722727adb76413e682f0a0e588
      SHA1: e2b35b5f40d194af4d326d391c623941a1d29305
      SHA256:3f62d78113afc6bd199b54066d2d38889da5bda29a3461fff44118f4d348873c
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/print/plugin.min.js
      MD5: d770c768f972dd323698be2b5d45d242
      SHA1: 85fc5187189aa345320868a0337227225dbabbdc
      SHA256:aed57bc6a4ed6f69e061f179f556b650c1e6535fee41dd3d76e36ddfceef1d25
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/save/plugin.min.js
      MD5: 76741aa64a8a9a7506a14f6798a74b83
      SHA1: 8cfc8265389d878aa9c23c13b90085d942776fc4
      SHA256:2f0be9b281e3104aad415d4eb44c1266aa48cfd348dc5933b7361115d2e68013
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/searchreplace/plugin.min.js
      MD5: a3c4107374750dd57e7ddff0c8eb5643
      SHA1: 190d12f4c16bf37974ea15ae87a5bd26e205c583
      SHA256:c9c61ebaf3ce296b169b87bafc8c417016293f57be2924476ee945c3411754a0
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/spellchecker/plugin.min.js
      MD5: e744c036a839eb342af020318f4527d0
      SHA1: 9b581fab93aa07d3595d5f3e93312098867c984c
      SHA256:553d9c89daff184092fd92062f9a4c986a24b769bdd59cdb8eee314420c1c6b6
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/tabfocus/plugin.min.js
      MD5: d810b096023695b38bf682f20774af98
      SHA1: a1e6bda7027fe643c623dfa6a2e4990e3774a38f
      SHA256:d6c72e2b6645f20fb73a343805b48545cfb2215e29f849648f108b80d5564da1
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/table/plugin.min.js
      MD5: 46c5423637545ce4655ff1844150396e
      SHA1: e10994719509c005a7efbf1c3b41e52d1400b8b2
      SHA256:eed3c615c035e1f489d2db10c1365834bded334cfd37cbcd06d46cd105026ca0
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/template/plugin.min.js
      MD5: c409f9fda82f973a1106a7b5878dd85e
      SHA1: 9e5764eb5d54b44ac41be65471ff80744117fe35
      SHA256:20163b5311a6d86f6d993658e6bd3fbec2b1482b88aef023476f25a502bde88d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/textcolor/plugin.min.js
      MD5: 870511532b062a500c95ae81e1cf23d3
      SHA1: ed05f53a990e8986b62f468d3e60a6486f038428
      SHA256:aa4832d86f88f94f386b102c232eab5299525e0dccfd01c94d343ac531ad0a2d
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/textpattern/plugin.min.js
      MD5: f3413b95cbfa2817c3de7b02e17743ca
      SHA1: 23a05dded8934205e5fee6e705172f5d624d8a22
      SHA256:3baa5bc3db6aaddb2e975e52fb6d038089a32a100ee158538e7560a233fecf5b
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/visualblocks/plugin.min.js
      MD5: 9799dd341c8ad1495fbb10532582e760
      SHA1: e4dd01381493ad802c9c38b4a1c84347a3b3b51c
      SHA256:0a0f01b9607dd3e0acbde63e7716938e2e6a9471515241aecf2d17932b768029
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/visualchars/plugin.min.js
      MD5: 9eb7433cda51e164d170010f9a86ed4c
      SHA1: 51cf1ca5dc71b2255da1d65a83ffd3d16eec8f2b
      SHA256:3b52f69be85505a5b74a8b353ea4756e208dd31982fae99e8c69bbdfa10e8e64
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      plugin.min.js

      File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/plugins/wordcount/plugin.min.js
      MD5: e025cce6ea770be54ef578112d797ae4
      SHA1: a6b1ad13d2a09422ed3e4d4555f6a0a04599df17
      SHA256:6ec028a9884af7b0d66343b2b727c689e4d9f529d9ad844c18ff178ee5d547bf
      Referenced In Project/Scope: OpenKM Web Application

      Identifiers

      • None

      poi-3.12.jar

      Description:

      Apache POI - Java API To Access Microsoft Format Files

      License:

      The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
      File Path: /home/vaclav/.m2/repository/org/apache/poi/poi/3.12/poi-3.12.jar
      MD5: c22098095e289dd8546d1565bc1a4c7d
      SHA1: 8be19a6a1fa08e934a497929f360111a4d2e5115
      SHA256:aef9a5c3895c7fa05d8f72f477d817d3c2a11c8f4760c3d0951b86a7eb07f151
      Referenced In Project/Scope: OpenKM Web Application:compile
      poi-3.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

      Identifiers

      CVE-2017-12626  

      Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
      CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
      CVSSv3:
      • Base Score: HIGH (7.5)
      • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

      References:

      Vulnerable Software & Versions:

      CVE-2016-5000  

      The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
      CWE-611 Improper Restriction of XML External Entity Reference

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
      CVSSv3:
      • Base Score: MEDIUM (5.5)
      • Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A

      References:

        Vulnerable Software & Versions:

        CVE-2017-5644  

        Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
        CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

        CVSSv2:
        • Base Score: HIGH (7.1)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C
        CVSSv3:
        • Base Score: MEDIUM (5.5)
        • Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions:

        CVE-2019-12415  

        In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
        CWE-611 Improper Restriction of XML External Entity Reference

        CVSSv2:
        • Base Score: LOW (2.1)
        • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
        CVSSv3:
        • Base Score: MEDIUM (5.5)
        • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2022-26336  

        A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
        CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
        CVSSv3:
        • Base Score: MEDIUM (5.5)
        • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        properties.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/properties/properties.js
        MD5: b6b9faca9403e53b22a5aec3589a68f7
        SHA1: 4c62b883d74a39200f50f9755788b4c656520b86
        SHA256:cdeae6311b8b19564068b8ae89611efb9f43c3214e9442c40ab4830cf377c2b6
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        pt_BR.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/pt_BR.js
        MD5: fb06e7e3dba8251c0a5200f3df9609bc
        SHA1: 8ab2fd8e3732076af727c0fa03fd3f76add9bf4a
        SHA256:b047a8837b0baf3bed867a454d456df91690c0e29471ee1d8a944bedf9a2dabe
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        pt_PT.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/pt_PT.js
        MD5: 7e9ad8632be098ad4613d77aaff6bcb7
        SHA1: 6e91045750da0ea9928bdd8924e550666644a402
        SHA256:a8932c385742f61a140024f0f3e44ac3ce55cdae26a097d8f94307adb3f6799f
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        puppet.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/puppet/puppet.js
        MD5: 3c395b7fa1c9ade1ab76ca43ff4047ec
        SHA1: 2db63a187ebc432570e699a1021f12cf00baf712
        SHA256:c572b4722a9e31a83015fd2c052d46f943cfa7a01ba8d799e01f0ecaf654df19
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        python-hint.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/python-hint.js
        MD5: ba8376020ec5868f56a94034bf396726
        SHA1: 318baee188b04a86d449294cea67ec3ac0dd01df
        SHA256:1cd8893740f6995dfa58f05f14dde2a4cff6998ab331a299a9a5250718687eed
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        python.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/python/python.js
        MD5: 276c05bde8d7b945784374d8ee17964d
        SHA1: 027e8f8b63df70b3bcf7d1092c087448ba51938a
        SHA256:54468761ce3feb2a1c8729016a0e3ed0f7f0f7b917242549599f39048c5f5852
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        q.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/q/q.js
        MD5: eb0cb3d3d54bc05313f2b1241e1fa8a3
        SHA1: 07bf08f16c1176ffd0ae0e50ff32dd4bf98fabbb
        SHA256:624c14ffcf3046191897869b34d1e6e15a8495870f88da0d4cd664663db23ede
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        r.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/r/r.js
        MD5: 939945c81b626959a12ccd25ac2c7839
        SHA1: 3c570dfe382af5d893da9ce4aa33878a1ef2668a
        SHA256:fcd8e30c9ee6bb0e284e456dc6e5bab5f26f7c49d9078b67e8918b74b95834d7
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        reflections-0.9.11.jar

        Description:

        Reflections - a Java runtime metadata analysis

        License:

        WTFPL: http://www.wtfpl.net/
        The New BSD License: http://www.opensource.org/licenses/bsd-license.html
        File Path: /home/vaclav/.m2/repository/org/reflections/reflections/0.9.11/reflections-0.9.11.jar
        MD5: aca303b243a6c2225685b992ceea1cb3
        SHA1: 4c686033d918ec1727e329b7222fcb020152e32b
        SHA256:cca88428f8a8919df885105833d45ff07bd26f985f96ee55690551216b58b4a1
        Referenced In Project/Scope: OpenKM Web Application:compile
        reflections-0.9.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

        Identifiers

        resolver-20050927.jar

        File Path: /home/vaclav/.m2/repository/com/sun/org/apache/xml/internal/resolver/20050927/resolver-20050927.jar
        MD5: 96d75a90d89ff0cb6b96282171a212de
        SHA1: ee4db4a5f15cbdb453808c2839f08240ac231e46
        SHA256:4abbc5d52aab572ad70f83554ba366e983412e57f527af95fd19758503a03f3c
        Referenced In Project/Scope: OpenKM Web Application:compile
        resolver-20050927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

        Identifiers

        ro.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ro.js
        MD5: 365a69437f9b98d77937abdcbcf419e5
        SHA1: 6f1765a899584e2243a49a4ccf78b7a83a8e2d63
        SHA256:9b7cb91392c19b8deb8c6f989a8299d2205f480e7577ac5e83d88cef6dbe8d51
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        rome-1.0.jar

        Description:

        All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
        		easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
        		(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
        		a set of parsers and generators for the various flavors of feeds, as well as converters
        		to convert from one format to another. The parsers can give you back Java objects that
        		are either specific for the format you want to work with, or a generic normalized
        		SyndFeed object that lets you work on with the data without bothering about the
        		underlying format. 

        File Path: /home/vaclav/.m2/repository/rome/rome/1.0/rome-1.0.jar
        MD5: 53d38c030287b939f4e6d745ba1269a7
        SHA1: 022b33347f315833e9348cec2751af1a5d5656e4
        SHA256:cd2cfd3b4e2af9eb8fb09d6a2384328e5b9cf1138bccaf7e31f971e5f7678c6c
        Referenced In Project/Scope: OpenKM Web Application:compile
        rome-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

        Identifiers

        • pkg:maven/rome/rome@1.0  (Confidence:High)
        • cpe:2.3:a:oracle:system_utilities:1.0:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:oracle:utilities_framework:1.0:*:*:*:*:*:*:*  (Confidence:Low)  

        rpm.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/rpm/rpm.js
        MD5: 29c192c1da5623e3ec86241729f78fde
        SHA1: d2b35f0e8286a2a493f00463604ccdf3ea89872b
        SHA256:c3e52ce5a54a2993f01ec61e879a5c2799f6e4bdd4c44c1309bad300c0cecf18
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        rst.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/rst/rst.js
        MD5: 4ba4a59d42648646c4d40aa5d2bd766e
        SHA1: 20a6f3c291525ac938a0f28a206ce1af530fedb5
        SHA256:4f5b61b85864b47f9469fc79b741fd0ee7f2f304f42e7c3f3d1c00f7b81d4061
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        ru.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ru.js
        MD5: f70b6e8635b774e8d67e956527408462
        SHA1: b24bad363c765bb0c2d3fb4541a7d59755d410d1
        SHA256:8ecf99ac06a5ddc80e64f53629d1c2e55cccfb00d1441122cca4f72f24b49b19
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        ruby.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/ruby/ruby.js
        MD5: 4c8c22081c5c49cce3e007da96229294
        SHA1: e1364d840cdb5723125bf1a31c3837098bb1d8eb
        SHA256:cfe7620a2203a3fd7346badf0d0f004c7eab6c772ccc5c9dd2f4db2406aef570
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        rulers.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/display/rulers.js
        MD5: 7835756be0815b06307e91f79a73543d
        SHA1: 2b2f4990b1bcd8737ce65627f180823875f52a91
        SHA256:5a47ed9ce8172cac20c280d0917e86f07f753f589c15799817e5bf855ccfdfb7
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        runmode-standalone.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/runmode/runmode-standalone.js
        MD5: 99ad186a1edecb50feba263b0babcb22
        SHA1: 15672ce04390a392c6ee2d8f78bd8a466b74b0e8
        SHA256:82e42f4692533397935c45cd3b7bf1527bd02f19a7ff38eb4d0b9be77a671ab0
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        runmode.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/runmode/runmode.js
        MD5: ef6cb4132f65f02f4742c7167227315a
        SHA1: a6f17774ff4e301dcca69f70e544a65a19d0bb63
        SHA256:74d8efce7b74b46158608d0f59ec4635782edde8f8334b9fe29f7fec0990e112
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        runmode.node.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/runmode/runmode.node.js
        MD5: 0f59030a5774824053d1f1460eec2fe3
        SHA1: d49abca3fe5e3f2d828d4120417f1c1f7628dec8
        SHA256:802ea6110611e048ff1208edb75e65997cf2236d72d27f7f27849f4b9de49bac
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        rust.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/rust/rust.js
        MD5: bca16384dcbea100ecfeecbb58defcbb
        SHA1: f9c4f374231aa3946dea242b70475cd2cd579a1c
        SHA256:887edde8913518d7d1750f5e23bf0ac2c3acc0625469e1c816a5a42a2b2a1466
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        saaj-api-1.3.jar

        License:

        COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
        File Path: /home/vaclav/.m2/repository/javax/xml/soap/saaj-api/1.3/saaj-api-1.3.jar
        MD5: 119be912d6fd00dd3ccf3071d520bc08
        SHA1: 4e0c860c1bf18b54ccb10a3c7ab2e4d61452faff
        SHA256:d36278c49c50f1fe41c264414a1f572a6578d544b8ca89053597ecb9ca87f63e
        Referenced In Project/Scope: OpenKM Web Application:compile
        saaj-api-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

        Identifiers

        saaj-impl-1.3.3.jar

        File Path: /home/vaclav/.m2/repository/com/sun/xml/messaging/saaj/saaj-impl/1.3.3/saaj-impl-1.3.3.jar
        MD5: 2da6039d38084376f4afa0275a72ef0b
        SHA1: 4e0c93e61ec6acf0a3ac96e692a58d184fba1456
        SHA256:a43b05ba571c674b105366c92f8bcde767beb4151f19bdd836d454ae80986c0e
        Referenced In Project/Scope: OpenKM Web Application:compile
        saaj-impl-1.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

        Identifiers

        sac-1.3.jar

        Description:

        SAC is a standard interface for CSS parsers.

        License:

        The W3C Software License: http://www.w3.org/Consortium/Legal/copyright-software-19980720
        File Path: /home/vaclav/.m2/repository/org/w3c/css/sac/1.3/sac-1.3.jar
        MD5: eb04fa63fc70c722f2b8ec156166343b
        SHA1: cdb2dcb4e22b83d6b32b93095f644c3462739e82
        SHA256:003785669f921aafe4f137468dd20a01a36111e94fd7449f26c16e7924d82d23
        Referenced In Project/Scope: OpenKM Web Application:provided
        sac-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2

        Identifiers

        sass.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sass/sass.js
        MD5: a4fec0d19cba2db69f65778b400ddd6b
        SHA1: 08e096a050212bdf8c0e05d3d67197f38a7d8b07
        SHA256:f569850da80733a07e503a19e9221c22c1ef02f6c298cf8e524e2f2e92a4b26a
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        scheme.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/scheme/scheme.js
        MD5: 69d29be2eb14c3d9ed525516b8068e78
        SHA1: 4628e1327b7c163b0f5985cb957d5bfaf78be750
        SHA256:e377dbc04ab9d98f449d06f11c434efab5bae2b4f22d152c2f77764eef98ba55
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        scrollpastend.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/scroll/scrollpastend.js
        MD5: ba2b499d177929af53c8f5600251ae50
        SHA1: 144046bda8a08cc0aa0f2918a86af037c3767757
        SHA256:2dc75eb57818f1b5aea5672bc85b3bc62147b13165a9802004af2eb4dba2e910
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        scss_test.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/css/scss_test.js
        MD5: 5cb6aecad7b9e26ba606e63bbd9df239
        SHA1: 6d044d19fb0be7556f3a6f359c59dbee614f1f51
        SHA256:55787a681d4d9e1621316a15d840b4258a0c151ccd1506f8e1ee98e5fb883dea
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        search.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/search/search.js
        MD5: ac824839f0d07d89bd1dd411b1c0edec
        SHA1: 2d3c929d6e9082d8327e898e0cf599b88ca130e3
        SHA256:5432950dd8c3a2a65780be3f226cfac6b63b228079dc18c7eeb1783431ac9276
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        searchcursor.js

        File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/search/searchcursor.js
        MD5: e25169181322c4462986f7aacb99be52
        SHA1: 40be9c0cbab66404c699af1337576ce277854f23
        SHA256:3cb7861643258fce7b48e5dfc43977ad4b4151fabbd3c75a4ec4680936517f7f
        Referenced In Project/Scope: OpenKM Web Application

        Identifiers

        • None

        serializer-2.7.1.jar

        Description:

            Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
            SAX events.
          

        File Path: /home/vaclav/.m2/repository/xalan/serializer/2.7.1/serializer-2.7.1.jar
        MD5: a6b64dfe58229bdd810263fa0cc54cff
        SHA1: 4b4b18df434451249bb65a63f2fb69e215a6a020
        SHA256:a15078d243d4a20b6b4e8ae2f61ed4655e352054e121aada6f7441f1ed445a3c
        Referenced In Project/Scope: OpenKM Web Application:compile
        serializer-2.7.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

        Identifiers

        CVE-2014-0107  

        The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: HIGH (7.5)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2022-34169  

        The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
        CWE-681 Incorrect Conversion between Numeric Types

        CVSSv3:
        • Base Score: HIGH (7.5)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        servlet-api-2.5-20081211.jar

        Description:

        Servlet Specification API

        License:

        http://www.apache.org/licenses/LICENSE-2.0
        File Path: /home/vaclav/.m2/repository/org/mortbay/jetty/servlet-api/2.5-20081211/servlet-api-2.5-20081211.jar
        MD5: 083898d794cc261853922ca941aee390
        SHA1: 22bff70037e1e6fa7e6413149489552ee2064702
        SHA256:068756096996fe00f604ac3b6672d6f663dc777ea4a83056e240d0456e77e472
        Referenced In Project/Scope: OpenKM Web Application:compile
        servlet-api-2.5-20081211.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gdata/core@1.47.1

        Identifiers

        CVE-2009-5048  

        Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
        CVSSv3:
        • Base Score: MEDIUM (6.1)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions:

        CVE-2009-5049  

        WebApp JSP Snoop page XSS in jetty though 6.1.21.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
        CVSSv3:
        • Base Score: MEDIUM (6.1)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions:

        CVE-2005-3747  

        Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters.  NOTE: this might be the same issue as CVE-2006-2758.
        NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-5615  

        CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
        CWE-94 Improper Control of Generation of Code ('Code Injection')

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions:

        CVE-2009-1523  

        Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
        CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2009-1524  

        Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        servlet-api-6.0.36.jar

        Description:

        javax.servlet package

        License:

        Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: /home/vaclav/.m2/repository/org/apache/tomcat/servlet-api/6.0.36/servlet-api-6.0.36.jar
        MD5: eef090b55ae1b68bf98b1e52fe98f53f
        SHA1: d52df1c140619ab68ec2e3162b7e2e0fdb248d2b
        SHA256:70887f84a95936fd41da7f3feb2bec2f999ef87fdcf15851c56969648643c02c
        Referenced In Project/Scope: OpenKM Web Application:compile
        servlet-api-6.0.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.ettrema/milton-servlet@1.8.1.4

        Identifiers

        CVE-2016-8735  

        CISA Known Exploited Vulnerability:
        • Product: Apache Tomcat
        • Name: Apache Tomcat Remote Code Execution Vulnerability
        • Date Added: 2023-05-12
        • Description: Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
        • Required Action: Apply updates per vendor instructions.
        • Due Date: 2023-06-02
        • Notes: https://tomcat.apache.org/security-9.html

        Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
        CWE-284 Improper Access Control

        CVSSv2:
        • Base Score: HIGH (7.5)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
        CVSSv3:
        • Base Score: CRITICAL (9.8)
        • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2016-5018  

        In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
        NVD-CWE-noinfo

        CVSSv2:
        • Base Score: MEDIUM (6.4)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
        CVSSv3:
        • Base Score: CRITICAL (9.1)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2016-0714  

        The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: MEDIUM (6.5)
        • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
        CVSSv3:
        • Base Score: HIGH (8.8)
        • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2016-5388  

        Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
        CWE-284 Improper Access Control

        CVSSv2:
        • Base Score: MEDIUM (5.1)
        • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
        CVSSv3:
        • Base Score: HIGH (8.1)
        • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0230  

        Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
        CWE-399 Resource Management Errors

        CVSSv2:
        • Base Score: HIGH (7.8)
        • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2020-8022  

        A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
        CWE-276 Incorrect Default Permissions

        CVSSv2:
        • Base Score: HIGH (7.2)
        • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
        CVSSv3:
        • Base Score: HIGH (7.8)
        • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2013-2185  

        The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.  NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
        CWE-20 Improper Input Validation

        CVSSv2:
        • Base Score: HIGH (7.5)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2016-6796  

        A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
        NVD-CWE-noinfo

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
        CVSSv3:
        • Base Score: HIGH (7.5)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2016-6797  

        The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
        CWE-863 Incorrect Authorization

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
        CVSSv3:
        • Base Score: HIGH (7.5)
        • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2017-5647  

        A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
        CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

        CVSSv2:
        • Base Score: MEDIUM (5.0)
        • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
        CVSSv3:
        • Base Score: HIGH (7.5)
        • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

        References:

          Vulnerable Software & Versions: (show all)

          CVE-2016-6816  

          The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
          CWE-20 Improper Input Validation

          CVSSv2:
          • Base Score: MEDIUM (6.8)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
          CVSSv3:
          • Base Score: HIGH (7.1)
          • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2013-2067  

          java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
          CWE-287 Improper Authentication

          CVSSv2:
          • Base Score: MEDIUM (6.8)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2013-4444  

          Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
          CWE-94 Improper Control of Generation of Code ('Code Injection')

          CVSSv2:
          • Base Score: MEDIUM (6.8)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

          References:
          • secalert@redhat.com - PATCH

          Vulnerable Software & Versions: (show all)

          CVE-2014-0227  

          java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
          CWE-19 Data Processing Errors

          CVSSv2:
          • Base Score: MEDIUM (6.4)
          • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2016-0762  

          The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
          CWE-203 Observable Discrepancy

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
          CVSSv3:
          • Base Score: MEDIUM (5.9)
          • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2013-4286  

          Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
          CWE-20 Improper Input Validation

          CVSSv2:
          • Base Score: MEDIUM (5.8)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2015-5345  

          The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
          CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
          CVSSv3:
          • Base Score: MEDIUM (5.3)
          • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2016-6794  

          When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
          NVD-CWE-noinfo

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
          CVSSv3:
          • Base Score: MEDIUM (5.3)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2012-3544  

          Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.
          CWE-20 Improper Input Validation

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2014-0075  

          Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
          CWE-189 Numeric Errors

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2014-7810  

          The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
          CWE-284 Improper Access Control

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2013-4322  

          Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
          CWE-20 Improper Input Validation

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2013-4590  

          Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
          CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2014-0033  

          org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
          CWE-20 Improper Input Validation

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2014-0096  

          java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
          CWE-264 Permissions, Privileges, and Access Controls

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2014-0099  

          Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
          CWE-189 Numeric Errors

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2014-0119  

          Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
          CWE-264 Permissions, Privileges, and Access Controls

          CVSSv2:
          • Base Score: MEDIUM (4.3)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2015-5174  

          Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
          CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

          CVSSv2:
          • Base Score: MEDIUM (4.0)
          • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
          CVSSv3:
          • Base Score: MEDIUM (4.3)
          • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2016-0706  

          Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
          CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

          CVSSv2:
          • Base Score: MEDIUM (4.0)
          • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
          CVSSv3:
          • Base Score: MEDIUM (4.3)
          • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          shAutoloader.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shAutoloader.js
          MD5: a122e7137e224f646b22b910a779d211
          SHA1: 5622d674a99d6052829893851dcee1c9b0c7af26
          SHA256:0841295a7e23dabc77c6deb5dc0d10e89a81db34c125f5c4acaffbd2ded3ebde
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushAS3.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushAS3.js
          MD5: 442d259478af459cb198f1c7920cd6bf
          SHA1: 2e4aa2b0ba7c211a461f4178831af47f0e0613ae
          SHA256:9871cb70f85eee26668f7400c5efec0245311529c0ba0be27a31d535b39e9a8c
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushAppleScript.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushAppleScript.js
          MD5: 74a77dcec7dd7bd0c996c312d10569bc
          SHA1: 4c032070be424731d1fcf15d5f14c5ad50aba9e2
          SHA256:e910d375025acb7942dd2a1afc0cad373d424a37610876636ef6bdccc5615c29
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushBash.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushBash.js
          MD5: 2d78054b479066ae1555e9c3ff2982e8
          SHA1: 531024ca0b9decf816ea4c1edb65ac732bd445ab
          SHA256:4819e4b43b2b58bff731cf248d1014ab89250ad347fd0529c246385865e54974
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushCSharp.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushCSharp.js
          MD5: b280eea611e5ed28f08ea552b59dfef0
          SHA1: bad1e3c00e03fc7475a7b92012d8c39488a94ab1
          SHA256:df44c6cbb3944b3bfaac20e2666af037613853bef6a242dc2ede1fc8efdf63cc
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushColdFusion.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushColdFusion.js
          MD5: 915874e18d8380902cb7eca143fcee13
          SHA1: e03bf93a134747499000f2d8f26b0ed7b44f586c
          SHA256:15b8bafb748aeaf8932635e5935b6b3f6ba6ee740cabf624d2d8f10594fed769
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushCpp.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushCpp.js
          MD5: f88b763be0c3069581db71bae6025bd8
          SHA1: eeaff35a98cf75421b4d2afe46aa631c6f89fd0b
          SHA256:a049c1d9058f34156daa5dbab591f5bee61161ebee3fc2fef081bfba1c244e1b
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushCss.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushCss.js
          MD5: a07a03d9b8a586105267106ed629339e
          SHA1: dc14023bd87bc94ec6cb1f4f1b3570466bb6394f
          SHA256:d3c494b68b64e24bdc66748471fe73d49f0d5402e02029fd6acad00e1a1bd5b8
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushDelphi.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushDelphi.js
          MD5: 29db1af76facf2deb013621981c43ab7
          SHA1: f8e8c79b6ca3f9cf02befacdd7f5442e5e6f4cdf
          SHA256:8ef1e291eec72ca3fff0921378c3a0d460d340b7c31704d3ab9d13d984b71296
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushDiff.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushDiff.js
          MD5: 2e12da4b8224909fc0b92131bb04fb7e
          SHA1: d4b02ef15a3a349e5a203ec5b5e96e797c0706b5
          SHA256:97f595d1bf336cea21f7caff224238fd1dc9e98f8d4608eb4e742c58e447ed14
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushErlang.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushErlang.js
          MD5: 112da02c9c7c83494f3764540aec6cdd
          SHA1: 0821ca2cd71c32e2a1a1ae1456ba8463fb6fc85b
          SHA256:89fb5ef0ebb288764850672bc58c5782639a2085bfb140c313d7de8ab2bf6d66
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushGroovy.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushGroovy.js
          MD5: 9c6ede0ba21cb804301e156e2b4fd03c
          SHA1: d315b9dbbd39a8a97d1acc9f80cbef916a45839d
          SHA256:14bbddd8b6c3bb08ecc293fed7d5941ef31a1f837f795a75687e7e5cc1cfea47
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushJScript.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushJScript.js
          MD5: cdae918e2156986f76ada6d301c45f27
          SHA1: 7c8b34f14f4caf9cf2b6ac3315f7bacd95d69e3c
          SHA256:3f534a9cb3030831626f875de5e69f72e1cc020db2761b6ac8a0186ef4fff512
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushJava.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushJava.js
          MD5: c374a5018773714f971543dc273fceed
          SHA1: 5a1f33a6004f44f9c9e60b867555b88b77424833
          SHA256:29c5f3b4457780a50847804a17dc6906b11f5dc0ecc78f943d7a488690277cf3
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushJavaFX.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushJavaFX.js
          MD5: 0afafd1298c5870e7f3bf8ab761ccb6e
          SHA1: 97937a8230c34d7c4fa58fb945ae5b4ed7fa9b47
          SHA256:15367145380ec842cc7f9ac4ee51ca3157b2c19062e5a1f7b625b6d6c2778a68
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushPerl.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPerl.js
          MD5: b5300568d34b9182117922e8fc7c540a
          SHA1: b7c5eb10c7ec0e8d120bd4c5ab58f51c9b3791f7
          SHA256:d1c7ec6f223e7b7541ab70c5486540f3bfa7b34ebda896f131847a12ff6c73ac
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushPhp.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPhp.js
          MD5: 0a52933147cb95e4860a81c6c86863f8
          SHA1: 222f0605fe9de44d8daef71d8fc94f4b3e72e398
          SHA256:eeb0f65854972899fc99b17cf25ea68831cfb238e1e41654135c69b8a6f9fd99
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushPlain.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPlain.js
          MD5: 87fdca14e9886310a4e4b3ceb429c7f8
          SHA1: 8c41e3dc03b9a9d7d5cdeded987d7695974cd797
          SHA256:4916a1324a99bcafb7b7e8b333d9b1fa37c427950bb0411d38baac12846c17ad
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushPowerShell.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPowerShell.js
          MD5: 3939e2b31f99d06960e56b24697773fd
          SHA1: c93b138058748015f3e4fc1de90dc5d698819c0e
          SHA256:3705039e346c2f75e0f0e8a2c56e8a08ac290def3baa82da68c33263ec7e4d23
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushPython.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushPython.js
          MD5: 734fbf7c3eb377282d42c6ea110b1ef1
          SHA1: c3771aed486b7f9694536956979fb422a87e6d29
          SHA256:8ec5a39b87d75a7a2967fc06474337c15a9ca1978ec4a8843818fc24897e6475
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushRuby.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushRuby.js
          MD5: 8da67ffc8de2d75073fc6b31d9af78f9
          SHA1: d75c56b563630b02073653c76ab1e3ca8a4e3f08
          SHA256:85b5c4f0308c8cd394ae84182ed4e60ba70c77d43423895641c8555e10b5a839
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushSass.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushSass.js
          MD5: ebb4bef932492672be74fd925513fc9a
          SHA1: eb59ec77896569d73264519ce7eada71a9fee838
          SHA256:0967b3d04a276ae4b656f36714cf28c0f691c3f5c2dd6d36eb2f1fbaf0f714cc
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushScala.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushScala.js
          MD5: ec43414a7d9f971e1b6e3b7bdc4d75b6
          SHA1: 8f909fa1a7da297ff16277a596444b8551d33252
          SHA256:575d4786edd00d96154cd1b36a7fb19eaa6a1bec780b64c73060855882630ee5
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushSql.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushSql.js
          MD5: 3de8eb19c0c7a60c1c3e0680c18709ab
          SHA1: e1dcf432958657122e61dce037ab98db1ba0118d
          SHA256:83796b8fe75cbbdbb444119072f952caa0acf11fb0f9879ec9994da31567de68
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushVb.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushVb.js
          MD5: bb8a98a95fabbd96b6c94582716c57cd
          SHA1: ff215086fc178bbe8913193494b2f94d73b6d46f
          SHA256:dc7ad24d7c13335b46b25572c11e1e0238069d54900638d884a53c44d37be5b2
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shBrushXml.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shBrushXml.js
          MD5: ba290ac0111d2c3f8e1ce36fbaf6a239
          SHA1: 311b19458f80720e59522be044709aa5c78adff1
          SHA256:fb1fe49a904a4fda3ed82d2f88048b2ae88c217980b6bf2163c07f048663b43e
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shCore.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shCore.js
          MD5: 488ca2f56c37f84283fc9be63219304f
          SHA1: bd9599773965e9c84565abc2e6acdaa92ad6e83f
          SHA256:584a26f39cef2db245f41d4f6b8e3d0f7dfac5c06f0f454a49dfb94f6fb1517b
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shLegacy.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/syntaxhighlighter/shLegacy.js
          MD5: b37bc74a8cdb69d5e11e02e9b989189d
          SHA1: afd7575a7482d3505613d2dbef721a30459b98c5
          SHA256:7d02302bbb9594600c23c2b73fda9bb95ce35e0bdcb9c9d90c87f48ebbe41d33
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          shell.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/shell/shell.js
          MD5: 8a7a29611124bbaeaaa409f09a5d9e50
          SHA1: 7c94042d4f62228f444518c8cb0a9159978ffe01
          SHA256:f74cc7f7aecedc934ac164cc404d36422cf35864fc775b342ca260c5354bc5cb
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          show-hint.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/show-hint.js
          MD5: ea510962117eb297d093dd47e8ce7407
          SHA1: 04fb567177c2914c747164e25d79fb9d07a8850d
          SHA256:fbe338941f71e9841502934fcb898d715f9f7cc75b7782bada17288cb3292f5a
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          si_LK.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/si_LK.js
          MD5: 893cc57b6a5aacdcb1071cc6cf5ea98e
          SHA1: ae79f533a8528590226817046592aef4ee767b67
          SHA256:38e7be5e98e472e39787bab3da77482c0d26a2d4c43cd378696ec13e0df8edca
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          sieve.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sieve/sieve.js
          MD5: 26435b472bd68964d42a86b0ca5fa912
          SHA1: bcf65527019aa7009551079138a18570f26cba39
          SHA256:b42e0d4e32e5c3b9240210f64c7ea0f82df3d7b2dd1d81b5696807487fe47b25
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          sigar-1.6.5.132-6.jar

          Description:

          SIGAR (System Information Gatherer and Reporter) is a cross-platform, cross-language library and command-line tool for accessing operating system and hardware level information in Java, Perl, Ruby, Python, Erlang, PHP and C#.

          License:

          Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
          File Path: /home/vaclav/.m2/repository/org/hyperic/sigar/1.6.5.132-6/sigar-1.6.5.132-6.jar
          MD5: 91197aafc9b6473401ff8e67c46ebc3d
          SHA1: ad0bd6185f6303d376ffb51433089408bd90921e
          SHA256:632db274a8d7eba32e874c9d28fcc5591ad1583216ce0526adea6a49bc480876
          Referenced In Project/Scope: OpenKM Web Application:compile
          sigar-1.6.5.132-6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

          Identifiers

          sk.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sk.js
          MD5: a3fb86a79696e9a3db3e5567530bb321
          SHA1: 3c13743eab359deca4bcbb701f10114b4cf77194
          SHA256:248c64be63a2c2dab81f9fa726152f5d5e26f4f4f550c90563df4f1fd588ba8d
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          sl_SI.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sl_SI.js
          MD5: 8f56e0298a498ab31084f3a36f8bb8b6
          SHA1: 88f92095cc2a0d899dbf90efc8a3dcd508caf40c
          SHA256:781be1c1571ddd307ea8f1a4130737262da315710e552d755c8387f1f0019a1e
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          slf4j-api-1.7.7.jar

          Description:

          The slf4j API

          File Path: /home/vaclav/.m2/repository/org/slf4j/slf4j-api/1.7.7/slf4j-api-1.7.7.jar
          MD5: ca4280bf93d64367723ae5c8d42dd0b9
          SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
          SHA256:69980c038ca1b131926561591617d9c25fabfc7b29828af91597ca8570cf35fe
          Referenced In Project/Scope: OpenKM Web Application:compile
          slf4j-api-1.7.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/ch.qos.logback/logback-classic@1.1.3

          Identifiers

          smalltalk.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/smalltalk/smalltalk.js
          MD5: 50009d72a5443ddc20095206ed14496c
          SHA1: 77d3f5ad6311ddcf2abf23afbb1ff899131fa463
          SHA256:87cbf5f50356db0fc7cbd7f6462b88b39e0b550fcdd1991e98142fbf9ebc59dc
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          smarty.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/smarty/smarty.js
          MD5: 24c5bdcad151a30c277c7b340687a879
          SHA1: b56e542931d973dad8c4b702683ebd72787ed931
          SHA256:ebeb1f048eb2abeaf10a541839988ea3ed38b31ee32326500f478cbd862f09e1
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          smartymixed.js

          File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/smartymixed/smartymixed.js
          MD5: 911149271518e4a2f6e98aa91f0894d4
          SHA1: 8fd8885433efd6a3f1b99f01135a3dec9bab14fa
          SHA256:20f176450153390d9ca38067bd58e1c7cb0f69b7a88239139cab5414d6153597
          Referenced In Project/Scope: OpenKM Web Application

          Identifiers

          • None

          snakeyaml-1.17.jar

          Description:

          YAML 1.1 parser and emitter for Java

          License:

          Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
          File Path: /home/vaclav/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
          MD5: ab621c3cee316236ad04a6f0fe4dd17c
          SHA1: 7a27ea250c5130b2922b86dea63cbb1cc10a660c
          SHA256:5666b36f9db46f06dd5a19d73bbff3b588d5969c0f4b8848fde0f5ec849430a5
          Referenced In Project/Scope: OpenKM Web Application:compile
          snakeyaml-1.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

          Identifiers

          CVE-2022-1471  

          SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.��Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
          
          CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation

          CVSSv3:
          • Base Score: CRITICAL (9.8)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2017-18640  

          The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
          CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
          CVSSv3:
          • Base Score: HIGH (7.5)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2022-25857  

          The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
          CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

          CVSSv3:
          • Base Score: HIGH (7.5)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2022-38749  

          Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
          CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

          CVSSv3:
          • Base Score: MEDIUM (6.5)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2022-38751  

          Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
          CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

          CVSSv3:
          • Base Score: MEDIUM (6.5)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2022-38752  

          Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
          CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

          CVSSv3:
          • Base Score: MEDIUM (6.5)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2022-41854  

          Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
          CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

          CVSSv3:
          • Base Score: MEDIUM (6.5)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2022-38750  

          Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
          CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

          CVSSv3:
          • Base Score: MEDIUM (5.5)
          • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          solr-commons-csv-3.1.0.jar (shaded: org.apache.commons:commons-csv:1.0-SNAPSHOT)

          File Path: /home/vaclav/.m2/repository/org/apache/solr/solr-commons-csv/3.1.0/solr-commons-csv-3.1.0.jar/META-INF/maven/org.apache.commons/commons-csv/pom.xml
          MD5: 22ce16168c168baf41cba8909556a14c
          SHA1: 877195885993c8879c5d54c1b57ca7a6f2d4623d
          SHA256:bf30f10b63a2ce8a5247f704b38678e066fc9f292c1f21e2070fcd7f04c57b6d
          Referenced In Project/Scope: OpenKM Web Application:compile

          Identifiers

          solr-core-3.1.0.jar

          Description:

          Apache Solr Core

          File Path: /home/vaclav/.m2/repository/org/apache/solr/solr-core/3.1.0/solr-core-3.1.0.jar
          MD5: 381e3a1089b35160415144f3a2a1e65c
          SHA1: f11ea0c9f359a4ec48dd734595ae5e949b287692
          SHA256:bc371866b4d2ff1bf45a0bb3b0f5a432c707b566584311fc9a932fa66dfebc3b
          Referenced In Project/Scope: OpenKM Web Application:compile
          solr-core-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-search@3.4.2.Final

          Identifiers

          CVE-2021-27905  

          The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
          CWE-918 Server-Side Request Forgery (SSRF)

          CVSSv2:
          • Base Score: HIGH (7.5)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
          CVSSv3:
          • Base Score: CRITICAL (9.8)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2021-44548  

          An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
          CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-20 Improper Input Validation, CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

          CVSSv2:
          • Base Score: MEDIUM (6.8)
          • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
          CVSSv3:
          • Base Score: CRITICAL (9.8)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2021-29943  

          When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
          CWE-863 Incorrect Authorization

          CVSSv2:
          • Base Score: MEDIUM (6.4)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
          CVSSv3:
          • Base Score: CRITICAL (9.1)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2020-13941  

          Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
          CWE-20 Improper Input Validation

          CVSSv2:
          • Base Score: MEDIUM (6.5)
          • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
          CVSSv3:
          • Base Score: HIGH (8.8)
          • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

          References:

          Vulnerable Software & Versions:

          CVE-2012-6612  

          The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
          NVD-CWE-noinfo

          CVSSv2:
          • Base Score: HIGH (7.5)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

          References:

          Vulnerable Software & Versions: (show all)

          CVE-2017-3163  

          When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
          CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

          CVSSv2:
          • Base Score: MEDIUM (5.0)
          • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
          CVSSv3:
          • Base Score: HIGH (7.5)
          • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

          References:

            Vulnerable Software & Versions: (show all)

            CVE-2017-3164  

            Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
            CWE-918 Server-Side Request Forgery (SSRF)

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2018-1308  

            This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
            CWE-611 Improper Restriction of XML External Entity Reference

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2019-12401  

            Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it���s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
            CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-29262  

            When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
            CWE-522 Insufficiently Protected Credentials

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2023-44487  

            CISA Known Exploited Vulnerability:
            • Product: IETF HTTP/2
            • Name: HTTP/2 Rapid Reset Attack Vulnerability
            • Date Added: 2023-10-10
            • Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
            • Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
            • Due Date: 2023-10-31
            • Notes: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

            The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
            CWE-400 Uncontrolled Resource Consumption

            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2019-0193  

            CISA Known Exploited Vulnerability:
            • Product: Apache Solr
            • Name: Apache Solr DataImportHandler Code Injection Vulnerability
            • Date Added: 2021-12-10
            • Description: The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
            • Required Action: Apply updates per vendor instructions.
            • Due Date: 2022-06-10

            In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
            CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (7.2)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:1.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2013-6407  

            The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (6.4)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2013-6408  

            The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (6.4)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2015-8795  

            Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js.
            CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.1)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2015-8796  

            Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
            CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.1)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2015-8797  

            Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI.
            CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.1)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2013-6397  

            Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT.  NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
            CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11802  

            In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
            CWE-863 Incorrect Authorization

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (4.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            solr.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/solr/solr.js
            MD5: 7ec868603bab2f2f633f1cffb6af0757
            SHA1: 78e5cf94fcd21e558edeb96e44001f2d941beb47
            SHA256:8a84502fb860a6a1656b9d9d0747e5462abfef8029725455addd4ab68068f3dc
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            sparql.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sparql/sparql.js
            MD5: 5ad2b666cf4cda3808bc14586cd32330
            SHA1: e167460275abad609a02bd7b3c92bc15cb8d53fa
            SHA256:46a77a63732eae732a798e8d64934e81f8e5661406cb80798c80ab5465c5c105
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            spring-core-3.2.18.RELEASE.jar

            Description:

            Spring Core

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/spring-core/3.2.18.RELEASE/spring-core-3.2.18.RELEASE.jar
            MD5: 635537b54653d8155b107630ae41599e
            SHA1: 0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd
            SHA256:5c7ab868509a6b1214ebe557bfcf489cfac6e1ae4c4a39181b0fe66621fbe32e
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-core-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2018-1270  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
            CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22965  

            CISA Known Exploited Vulnerability:
            • Product: VMware Spring Framework
            • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
            • Date Added: 2022-04-04
            • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
            • Required Action: Apply updates per vendor instructions.
            • Due Date: 2022-04-25

            A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
            CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11040  

            Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
            CWE-829 Inclusion of Functionality from Untrusted Control Sphere

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-1257  

            Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2020-5421  

            In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: LOW (3.6)
            • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22950  

            n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20861  

            In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
            NVD-CWE-noinfo

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11039  

            Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22968  

            In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
            CWE-178 Improper Handling of Case Sensitivity

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22970  

            In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: LOW (3.5)
            • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-expression-3.2.18.RELEASE.jar

            Description:

            Spring Expression Language (SpEL)

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/spring-expression/3.2.18.RELEASE/spring-expression-3.2.18.RELEASE.jar
            MD5: 7e5fbe8696a4e71dc310c1ff9f8286e1
            SHA1: 070c1fb9f2111601193e01a8d0c3ccbca1bf3706
            SHA256:cde7eda6cc2270ab726f963aeb546c3f4db76746c661c247fbfb5d2a4d2f4411
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-expression-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework/spring-context@3.2.18.RELEASE

            Identifiers

            CVE-2018-1270  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
            CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22965  

            CISA Known Exploited Vulnerability:
            • Product: VMware Spring Framework
            • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
            • Date Added: 2022-04-04
            • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
            • Required Action: Apply updates per vendor instructions.
            • Due Date: 2022-04-25

            A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
            CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11040  

            Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
            CWE-829 Inclusion of Functionality from Untrusted Control Sphere

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-1257  

            Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2020-5421  

            In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: LOW (3.6)
            • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22950  

            n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20861  

            In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
            NVD-CWE-noinfo

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20863 (OSSINDEX)  

            In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
            CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework:spring-expression:3.2.18.RELEASE:*:*:*:*:*:*:*

            CVE-2018-11039  

            Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22968  

            In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
            CWE-178 Improper Handling of Case Sensitivity

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22970  

            In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: LOW (3.5)
            • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-ldap-core-1.3.2.RELEASE.jar

            Description:

            spring-ldap-core

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/ldap/spring-ldap-core/1.3.2.RELEASE/spring-ldap-core-1.3.2.RELEASE.jar
            MD5: 22fd2c2a902ebd78c66a19cfdadd649d
            SHA1: cae848fe4280fef46bad5a7bad2fe4404f8bd442
            SHA256:5a65f2e31546435bdb6171027cd3e8448447bbc97e86a057645241905700e109
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-ldap-core-1.3.2.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-ldap@3.2.10.RELEASE

            Identifiers

            CVE-2017-8028  

            In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
            CWE-287 Improper Authentication

            CVSSv2:
            • Base Score: MEDIUM (5.1)
            • Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: HIGH (8.1)
            • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-oxm-3.2.4.RELEASE.jar

            Description:

            Spring Object/XML Marshalling

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/spring-oxm/3.2.4.RELEASE/spring-oxm-3.2.4.RELEASE.jar
            MD5: 2abb980787ce24a67a9496172cef65cf
            SHA1: 1de9e0537d7ea233668540577e72d86ff6df6d8b
            SHA256:fc259b1b0946c862527c5714dca66f6e884ce8249b35d146bed0fa66d553b1e8
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-oxm-3.2.4.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASE

            Identifiers

            CVE-2018-1270  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
            CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22965  

            CISA Known Exploited Vulnerability:
            • Product: VMware Spring Framework
            • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
            • Date Added: 2022-04-04
            • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
            • Required Action: Apply updates per vendor instructions.
            • Due Date: 2022-04-25

            A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
            CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2015-5211  

            Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
            CWE-552 Files or Directories Accessible to External Parties

            CVSSv2:
            • Base Score: HIGH (9.3)
            • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
            CVSSv3:
            • Base Score: CRITICAL (9.6)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2014-0225  

            When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
            CWE-611 Improper Restriction of XML External Entity Reference

            CVSSv2:
            • Base Score: MEDIUM (6.8)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-9878  

            An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
            CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11040  

            Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
            CWE-829 Inclusion of Functionality from Untrusted Control Sphere

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2013-6429  

            The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
            CWE-611 Improper Restriction of XML External Entity Reference, CWE-352 Cross-Site Request Forgery (CSRF)

            CVSSv2:
            • Base Score: MEDIUM (6.8)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2014-0054  

            The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
            CWE-352 Cross-Site Request Forgery (CSRF)

            CVSSv2:
            • Base Score: MEDIUM (6.8)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-1257  

            Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2020-5421  

            In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: LOW (3.6)
            • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22950  

            n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20861  

            In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
            NVD-CWE-noinfo

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11039  

            Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2015-3192  

            Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
            CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.5)
            • Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22968  

            In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
            CWE-178 Improper Handling of Case Sensitivity

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22970  

            In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: LOW (3.5)
            • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2014-3578  

            Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
            CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2014-3625  

            Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
            CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2014-1904  

            Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
            CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

            References:

            Vulnerable Software & Versions: (show all)

            spring-security-acl-3.2.10.RELEASE.jar

            Description:

            spring-security-acl

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-acl/3.2.10.RELEASE/spring-security-acl-3.2.10.RELEASE.jar
            MD5: f87a9ef5d7952bc6f8096b3223d67e19
            SHA1: 0417714b1b6c7f11cb6c2a5ee4c3738d43353928
            SHA256:7916014dbd3c61585d92aeb14e4c74584c60b7858bfb8e63b2af4560d1955315
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-security-acl-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-taglibs@3.2.10.RELEASE

            Identifiers

            CVE-2022-22978  

            In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
            CWE-863 Incorrect Authorization

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22112  

            Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22976  

            Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
            CWE-190 Integer Overflow or Wraparound

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-security-config-3.2.10.RELEASE.jar

            Description:

            spring-security-config

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-config/3.2.10.RELEASE/spring-security-config-3.2.10.RELEASE.jar
            MD5: 8c8534526c1ed31e3cdc65523e782e3c
            SHA1: c8c9c742067d5a4879bf8db289cb48b60262056a
            SHA256:f8849bb9e245423924ccdaee6693d497f1b4d2dd2069e7695d4fdd2b82a2f5b3
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-security-config-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2022-22978  

            In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
            CWE-863 Incorrect Authorization

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22112  

            Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20862 (OSSINDEX)  

            In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
            CWE-459 Incomplete Cleanup

            CVSSv3:
            • Base Score: MEDIUM (6.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-config:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2018-1199 (OSSINDEX)  

            Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
            CWE-20 Improper Input Validation

            CVSSv3:
            • Base Score: MEDIUM (5.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-config:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2022-22976  

            Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
            CWE-190 Integer Overflow or Wraparound

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-security-core-3.2.10.RELEASE.jar

            Description:

            spring-security-core

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-core/3.2.10.RELEASE/spring-security-core-3.2.10.RELEASE.jar
            MD5: 86427a3f1e565f975b48cb8b9be4649d
            SHA1: e8018fab2ada266288d1db83cc4e452de1e2ed1c
            SHA256:10443ef19e3cbe2b82197983d7fa0dec5bebd40dc3ca2c0cf02864359cdc2c93
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-security-core-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2022-22978  

            In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
            CWE-863 Incorrect Authorization

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22112  

            Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2024-22257 (OSSINDEX)  

            In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 
            5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, 
            versions 6.2.x prior to 6.2.3, an application is possible vulnerable to 
            broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
            
            
            CWE-1390 Weak Authentication

            CVSSv3:
            • Base Score: HIGH (8.199999809265137)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-core:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2019-11272 (OSSINDEX)  

            Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
            CWE-522 Insufficiently Protected Credentials

            CVSSv3:
            • Base Score: HIGH (7.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-core:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2019-3795 (OSSINDEX)  

            Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-3795 for details
            CWE-330 Use of Insufficiently Random Values

            CVSSv3:
            • Base Score: MEDIUM (5.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-core:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2022-22976  

            Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
            CWE-190 Integer Overflow or Wraparound

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-security-ldap-3.2.10.RELEASE.jar

            Description:

            spring-security-ldap

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-ldap/3.2.10.RELEASE/spring-security-ldap-3.2.10.RELEASE.jar
            MD5: ec497189a708a0c52fbfb1c9056d65c6
            SHA1: 22450c3c3897ed7c06b98d3ac5bdac5e01b31574
            SHA256:948a3476aa3d758fd4c54cd0ef17a5e2297c02d0438033008e82c2a9bd1014cc
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-security-ldap-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2022-22978  

            In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
            CWE-863 Incorrect Authorization

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22112  

            Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22976  

            Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
            CWE-190 Integer Overflow or Wraparound

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-security-web-3.2.10.RELEASE.jar

            Description:

            spring-security-web

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/security/spring-security-web/3.2.10.RELEASE/spring-security-web-3.2.10.RELEASE.jar
            MD5: 22b94b4f676727805952091f92cd60f5
            SHA1: b925996ca5a7310e3315705cd2b69a15214ee3e1
            SHA256:84b59931956693916e744977cec02db88fcd17eb11f47081d46b7fdc5196b1dd
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-security-web-3.2.10.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2022-22978  

            In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
            CWE-863 Incorrect Authorization

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22112  

            Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (9.0)
            • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
            CVSSv3:
            • Base Score: HIGH (8.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-9879 (OSSINDEX)  

            An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
            CWE-417 Communication Channel Errors

            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-web:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2023-20862 (OSSINDEX)  

            In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
            CWE-459 Incomplete Cleanup

            CVSSv3:
            • Base Score: MEDIUM (6.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-web:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2018-1199 (OSSINDEX)  

            Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
            CWE-20 Improper Input Validation

            CVSSv3:
            • Base Score: MEDIUM (5.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework.security:spring-security-web:3.2.10.RELEASE:*:*:*:*:*:*:*

            CVE-2022-22976  

            Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
            CWE-190 Integer Overflow or Wraparound

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-web-3.2.18.RELEASE.jar

            Description:

            Spring Web

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/spring-web/3.2.18.RELEASE/spring-web-3.2.18.RELEASE.jar
            MD5: c3435c31fea5f1e479b4bb5eba32133d
            SHA1: bc0bdade0a7a52b8fae88e1febc8479383a2acad
            SHA256:0aa220d3703eaf6eff670423978566a2af506fb9ea8bb728fa05bb16bdc74e9c
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-web-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2016-1000027  

            Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
            CWE-502 Deserialization of Untrusted Data

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2018-1270  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
            CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22965  

            CISA Known Exploited Vulnerability:
            • Product: VMware Spring Framework
            • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
            • Date Added: 2022-04-04
            • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
            • Required Action: Apply updates per vendor instructions.
            • Due Date: 2022-04-25

            A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
            CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2024-22243 (OSSINDEX)  

            Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a  open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.
            
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22243 for details
            CWE-20 Improper Input Validation

            CVSSv3:
            • Base Score: HIGH (8.100000381469727)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework:spring-web:3.2.18.RELEASE:*:*:*:*:*:*:*

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11040  

            Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
            CWE-829 Inclusion of Functionality from Untrusted Control Sphere

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-1272 (OSSINDEX)  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework:spring-web:3.2.18.RELEASE:*:*:*:*:*:*:*

            CVE-2018-1257  

            Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2020-5421  

            In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: LOW (3.6)
            • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22950  

            n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20861  

            In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
            NVD-CWE-noinfo

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11039  

            Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22968  

            In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
            CWE-178 Improper Handling of Case Sensitivity

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22970  

            In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: LOW (3.5)
            • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            spring-webmvc-3.2.18.RELEASE.jar

            Description:

            Spring Web MVC

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/springframework/spring-webmvc/3.2.18.RELEASE/spring-webmvc-3.2.18.RELEASE.jar
            MD5: 2cb8a9569b95a76a0485d71c913c1819
            SHA1: 60e5bb3dc9cb83d6cc53628082ec89a57d4832b2
            SHA256:effcce98fd4e9fa95c9a53e49db801f1e2d011ee6dcbb7a7eb1a3ca3bcb2cfd5
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-webmvc-3.2.18.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2018-1270  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
            CWE-358 Improperly Implemented Security Check for Standard, CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22965  

            CISA Known Exploited Vulnerability:
            • Product: VMware Spring Framework
            • Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
            • Date Added: 2022-04-04
            • Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
            • Required Action: Apply updates per vendor instructions.
            • Due Date: 2022-04-25

            A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
            CWE-94 Improper Control of Generation of Code ('Code Injection')

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2016-5007  

            Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-11040  

            Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
            CWE-829 Inclusion of Functionality from Untrusted Control Sphere

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-1257  

            Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2020-5421  

            In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: LOW (3.6)
            • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22950  

            n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: MEDIUM (4.0)
            • Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2023-20861  

            In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
            NVD-CWE-noinfo

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2018-1271 (OSSINDEX)  

            Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
            CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

            CVSSv3:
            • Base Score: MEDIUM (5.900000095367432)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework:spring-webmvc:3.2.18.RELEASE:*:*:*:*:*:*:*

            CVE-2018-11039  

            Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22968  

            In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
            CWE-178 Improper Handling of Case Sensitivity

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-22970  

            In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
            CWE-770 Allocation of Resources Without Limits or Throttling

            CVSSv2:
            • Base Score: LOW (3.5)
            • Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2021-22060 (OSSINDEX)  

            In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
            CWE-117 Improper Output Neutralization for Logs

            CVSSv3:
            • Base Score: MEDIUM (4.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.springframework:spring-webmvc:3.2.18.RELEASE:*:*:*:*:*:*:*

            spring-ws-core-2.1.4.RELEASE.jar

            Description:

            Spring Web Services Core package.

            File Path: /home/vaclav/.m2/repository/org/springframework/ws/spring-ws-core/2.1.4.RELEASE/spring-ws-core-2.1.4.RELEASE.jar
            MD5: 3af5370615b2816ef898934d4d666039
            SHA1: 136d082e0aa7f43edee019f0779a2555b1c72fd4
            SHA256:8782c0b394ada40448ad5ace1914f4a88d3ebe79c92fa79bd3d816fd86222365
            Referenced In Project/Scope: OpenKM Web Application:compile
            spring-ws-core-2.1.4.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2019-3773  

            Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
            CWE-611 Improper Restriction of XML External Entity Reference

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.8)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            sql-hint.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/sql-hint.js
            MD5: 4c27642784664b7e0484a11ad2850c57
            SHA1: bebb61496040c046540ebbb17861158fb670c10d
            SHA256:b97d977c167f2db5efdb7be83ec0ec5ef01f7e0f35908739f16d7e3e4490188d
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            sql.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/sql/sql.js
            MD5: 6c04b6e6e12f8bb8eead7bf853e66d32
            SHA1: c1a2166061b0a68a73e08efec88831bdd6e89203
            SHA256:1f78817f680b3ebbe726d2d48f4a094d1bc5d41d4066355bef9261208a6b3fd2
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            sr.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sr.js
            MD5: ce0b00505e20ce27858859ae6cd28406
            SHA1: 6aef42af49cc2866368503fcaaa97e32146e5a0b
            SHA256:803da84204c0bb0348a76c50b317b42d8637604ccfd67fc6b6c6cd77bee32280
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            stax-1.2.0.jar

            Description:

            StAX is the reference implementation of the StAX API

            File Path: /home/vaclav/.m2/repository/stax/stax/1.2.0/stax-1.2.0.jar
            MD5: aa3439d235f7d999532b66bac56c1f87
            SHA1: c434800de5e4bbe1822805be5fb1c32d6834f830
            SHA256:df6905a047b05e23bc91f03ba57ac2f87c1ddf83e048aa0e5bd13169d5ebf0d9
            Referenced In Project/Scope: OpenKM Web Application:compile
            stax-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jasperreports/jasperreports@6.4.3

            Identifiers

            stax-api-1.0-2.jar

            Description:

                StAX is a standard XML processing API that allows you to stream XML data from and to your application.
              

            License:

            GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
            COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
            File Path: /home/vaclav/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar
            MD5: 7d18b63063580284c3f5734081fdc99f
            SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
            SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7
            Referenced In Project/Scope: OpenKM Web Application:compile
            stax-api-1.0-2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASE

            Identifiers

            stax-api-1.0.1.jar

            Description:

            StAX API is the standard java XML processing API defined by JSR-173

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar
            MD5: 7d436a53c64490bee564c576babb36b4
            SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
            SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e
            Referenced In Project/Scope: OpenKM Web Application:compile
            stax-api-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.codehaus.jettison/jettison@1.3.5

            Identifiers

            stax-ex-1.2.jar

            Description:

            Extensions to JSR-173 StAX API.

            License:

            Common Development And Distribution License (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
            File Path: /home/vaclav/.m2/repository/org/jvnet/staxex/stax-ex/1.2/stax-ex-1.2.jar
            MD5: e5b8a72a34f085b92ef54d8cd7a24a1c
            SHA1: a0ad9319e140a1e5ddcc77f870ca67722bab8ff7
            SHA256:0a5b10337e13bfbf7384274d6958f5eb1132ae6060af4011ef32ed7f02d339d6
            Referenced In Project/Scope: OpenKM Web Application:compile
            stax-ex-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

            Identifiers

            stax2-api-4.1.jar

            Description:

            tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
              

            License:

            The BSD License: http://www.opensource.org/licenses/bsd-license.php
            File Path: /home/vaclav/.m2/repository/org/codehaus/woodstox/stax2-api/4.1/stax2-api-4.1.jar
            MD5: 63d94c33170b23d46f0f2e21ac708872
            SHA1: b6e20f3760016b70358e9227be904ecb26a50530
            SHA256:3e99c678c42ce353595b6cc71e62f25bd6e58860b3cf79b60adc9240a967924f
            Referenced In Project/Scope: OpenKM Web Application:compile
            stax2-api-4.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

            Identifiers

            stex.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/stex/stex.js
            MD5: dab06b4adb721265eeee8b0cd31e7664
            SHA1: ad3bbc4f462be3ef59ddc64d0c42894d526bfecd
            SHA256:0394d8791bb2b0fcc1fc2de82780721b454a7ba3b8f63002d44327cc5b940459
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            streambuffer-0.9.jar

            File Path: /home/vaclav/.m2/repository/com/sun/xml/stream/buffer/streambuffer/0.9/streambuffer-0.9.jar
            MD5: f81bbfa225d404afde803263905158ff
            SHA1: f4b8b8575fcc558768df76658192f3c0202ca22a
            SHA256:1bcfb2072318cb160ab9ffe32330811154e9a2de1be634626cf2b6e6ab4d0868
            Referenced In Project/Scope: OpenKM Web Application:compile
            streambuffer-0.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-bindings@0.12.0

            Identifiers

            stringtemplate-3.2.1.jar

            Description:

            StringTemplate is a java template engine for generating source code,
            web pages, emails, or any other formatted text output.
            
            StringTemplate is particularly good at multi-targeted code generators,
            multiple site skins, and internationalization/localization. 
            
            It evolved over years of effort developing jGuru.com. 
            
            StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
            and powers the ANTLR v3 code generator. Its distinguishing characteristic 
            is that unlike other engines, it strictly enforces model-view separation.
            
            Strict separation makes websites and code generators more flexible
            and maintainable; it also provides an excellent defense against malicious
            template authors.
            
            There are currently about 600 StringTemplate source downloads a month.
                

            License:

            BSD licence: http://antlr.org/license.html
            File Path: /home/vaclav/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar
            MD5: b58ca53e518a92a1991eb63b61917582
            SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
            SHA256:f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7
            Referenced In Project/Scope: OpenKM Web Application:compile
            stringtemplate-3.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

            Identifiers

            sv_SE.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/sv_SE.js
            MD5: 3019b664fde32320fa3ebda0dedb380b
            SHA1: 6182d2700069e060466771b929db43731ac25224
            SHA256:113a1fc4fc044a18ef758aa42b5b6a1390dbb0d54a2baafc9cce7828bb26d616
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            swagger-annotations-1.5.17.jar

            License:

            http://www.apache.org/licenses/LICENSE-2.0.html
            File Path: /home/vaclav/.m2/repository/io/swagger/swagger-annotations/1.5.17/swagger-annotations-1.5.17.jar
            MD5: da474d498fb4ad5594b71105f5108db2
            SHA1: 1d8fcae3968a14b550e80fcebf5744da608902a0
            SHA256:6a5d8e681c6fabf1f681a76397bac44a4b67bafaf9505526f5e34fd69d9f68bc
            Referenced In Project/Scope: OpenKM Web Application:compile
            swagger-annotations-1.5.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

            Identifiers

            swagger-core-1.5.17.jar

            License:

            http://www.apache.org/licenses/LICENSE-2.0.html
            File Path: /home/vaclav/.m2/repository/io/swagger/swagger-core/1.5.17/swagger-core-1.5.17.jar
            MD5: 9c4e3263d65de6eded49b1c6925916fa
            SHA1: 527636afc525df6ba1329f894df3880e69444170
            SHA256:c6c934766aa3ed1d485f29917991c28ac92b33c4233fd627f576e4146298383b
            Referenced In Project/Scope: OpenKM Web Application:compile
            swagger-core-1.5.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

            Identifiers

            swagger-jaxrs-1.5.17.jar

            License:

            http://www.apache.org/licenses/LICENSE-2.0.html
            File Path: /home/vaclav/.m2/repository/io/swagger/swagger-jaxrs/1.5.17/swagger-jaxrs-1.5.17.jar
            MD5: e02642aca4ceace29306b164d988fc24
            SHA1: 56473a34611b9517918c0dbcbce471aa8055679f
            SHA256:5149aa405990bcf7b96a2aa61a487697091fc2b1402c72b3ff12fc7a4422580b
            Referenced In Project/Scope: OpenKM Web Application:compile
            swagger-jaxrs-1.5.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

            Identifiers

            swagger-models-1.5.17.jar

            License:

            http://www.apache.org/licenses/LICENSE-2.0.html
            File Path: /home/vaclav/.m2/repository/io/swagger/swagger-models/1.5.17/swagger-models-1.5.17.jar
            MD5: 0ec0b06a97fd9b9b287bf24130692d25
            SHA1: 8e03ed429bdfbddff22a286aff9a45a675597275
            SHA256:d9934756608ab5dde445fdf122af7a8cd57ae89820378e419a42d9b39b15d8d6
            Referenced In Project/Scope: OpenKM Web Application:compile
            swagger-models-1.5.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-rs-service-description-swagger@3.2.6

            Identifiers

            swagger-ui-3.17.6.jar

            Description:

            WebJar for Swagger UI

            License:

            Apache 2.0: https://github.com/swagger-api/swagger-ui
            File Path: /home/vaclav/.m2/repository/org/webjars/swagger-ui/3.17.6/swagger-ui-3.17.6.jar
            MD5: 46ca7ee57bac0ab09c2e194c0f9b0b9c
            SHA1: aa6e8134f67aea65a701823fc2b3a5dfe88344c8
            SHA256:13d49d26d86a2b3151f1abf81f8a7686fb60e3c23b46651a9f2caf313f15d2af
            Referenced In Project/Scope: OpenKM Web Application:compile
            swagger-ui-3.17.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2019-17495 (OSSINDEX)  

            A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-17495 for details
            CWE-352 Cross-Site Request Forgery (CSRF)

            CVSSv3:
            • Base Score: CRITICAL (9.800000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.webjars:swagger-ui:3.17.6:*:*:*:*:*:*:*

            CVE-2018-25031 (OSSINDEX)  

            Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
            CWE-20 Improper Input Validation

            CVSSv3:
            • Base Score: MEDIUM (4.300000190734863)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.webjars:swagger-ui:3.17.6:*:*:*:*:*:*:*

            swagger-ui-3.17.6.jar: swagger-ui-bundle.js

            File Path: /home/vaclav/.m2/repository/org/webjars/swagger-ui/3.17.6/swagger-ui-3.17.6.jar/META-INF/resources/webjars/swagger-ui/3.17.6/swagger-ui-bundle.js
            MD5: bcb6d93a44c0ad80c9b399ad09f0778a
            SHA1: b614cf220c82e81256f337c18b250fbfd094d1cf
            SHA256:de303e7363a090dcd80a5c85edefe7cfccb742f8d82b7fd50f50cfe1056b93af
            Referenced In Project/Scope: OpenKM Web Application:compile

            Identifiers

            • None

            swagger-ui-3.17.6.jar: swagger-ui-standalone-preset.js

            File Path: /home/vaclav/.m2/repository/org/webjars/swagger-ui/3.17.6/swagger-ui-3.17.6.jar/META-INF/resources/webjars/swagger-ui/3.17.6/swagger-ui-standalone-preset.js
            MD5: 17a7fa74a9616c401b048459d9d9ecf2
            SHA1: adaf6ee55688227975ffa3f5de156ddb018eeb43
            SHA256:79fa6891d5f91273fd5a295af28a7c93585eec8002711a6aff008d2289ef7b38
            Referenced In Project/Scope: OpenKM Web Application:compile

            Identifiers

            • None

            swagger-ui-3.17.6.jar: swagger-ui.js

            File Path: /home/vaclav/.m2/repository/org/webjars/swagger-ui/3.17.6/swagger-ui-3.17.6.jar/META-INF/resources/webjars/swagger-ui/3.17.6/swagger-ui.js
            MD5: c4eab626a0f64edb4c5ed018fdd97f4a
            SHA1: 58c039d2b54c40f3b9006a8803531556d44675c5
            SHA256:86d34bf848042159c45389472b4eb92d053c19534994024fd0c05ebe46597dde
            Referenced In Project/Scope: OpenKM Web Application:compile

            Identifiers

            • None

            swfobject.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/swfobject/swfobject.js
            MD5: 892a543f3abb54e8ec1ada55be3b0649
            SHA1: 5847ed101f55d51c53538a7078971e7de8fb6762
            SHA256:8677971b119ccdb82af697ff0e08f218490d15116f221d44301f1cc8797e67d4
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            ta.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ta.js
            MD5: 7c07e544eba8abc83f3f503dc52682da
            SHA1: a6acbfd406b985eea6cdd6150a482709abeec160
            SHA256:4c2d0bfe9227c0c68ac339a89b241cec7ee59ec3f523fa64b76f085399d92fa7
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            ta_IN.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ta_IN.js
            MD5: 007af45f6f17457c2073c60f0b6110cc
            SHA1: f517a5be2436050eb56a2f92afd7bd9edc250dff
            SHA256:df8ac007b89619edb24280043a21b83488ba85928d6d3dd486cb6219c91b1f11
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tcl.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/tcl/tcl.js
            MD5: 967eb598b26c7e66b58b1b97bf3ec87e
            SHA1: cafe6c13308bc0e9d502751d666d0f88a5235224
            SHA256:35a1c3d004586cfda8ed61fa5634dae653cdedda559e5ef988d5b693dda295d7
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tern.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/tern/tern.js
            MD5: ddf920002ba22167a9e91276ee853704
            SHA1: e4ef05d26180fb1f8dc348ed5839da84acf75fa8
            SHA256:88dffdc56acbf04bc323ad333b6ca8f90b8471a4f7d848082da2ec48c354b386
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/css/test.js
            MD5: 1030fd69a8d0de419d88d055c2bf91cf
            SHA1: dd5574b09b737bae388b0cc543c85db515c23dcb
            SHA256:1fb3b061d0138665f7bef6a7e8f396927bfe214a786eef824f947eb205c36d88
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/gfm/test.js
            MD5: f8a0afa66e06f504e83c10e92a73b17e
            SHA1: 1de56a7cf3e61cfe86b2a2fb4e1e0e97d029e043
            SHA256:5c00a54463e314d0217b2fe276ad9d7345a8cb654947298cc5b6ba82ae232e71
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/haml/test.js
            MD5: 7dca25af3798241784f1e0b5dc0acc1b
            SHA1: f9b5e63170b03daa2341c76877dcc384ce1d381e
            SHA256:ff0d9a90c0ef26f0e36f8034f96c9e92537ed2bc34c22a13a519d7e3226a5f83
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/javascript/test.js
            MD5: 485dd453b30642a6fe7250c0b588f086
            SHA1: 28f638cdee1d3bb8d1b24b35547c45bbc78f906f
            SHA256:60116bcfa89b731940c3217d4fec2282f1a071ed0d89e789ec3c4a105157647c
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/markdown/test.js
            MD5: d9edb4220bcff43a8ae4738a3d82f3c3
            SHA1: c73e6963ffac99cbc664b81cd782457076482542
            SHA256:5385645829089c84d7b90633fc0f3dd5876c62ded83506ddb793ff5eeb97f2ba
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/php/test.js
            MD5: c32a7249a8c6b38b1a3d9a9eae172981
            SHA1: 13f51bcc2da8ba95df15eed3cac543ad44274777
            SHA256:af7701d38292d6a56ecd5f21f1aabd6f195b5b7ad19e6a885fc1c424b88df93a
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/ruby/test.js
            MD5: ba146f96f7240050ce22610699082d1a
            SHA1: 460e1614f82778bfebd5e46137725e33c0601396
            SHA256:38f057c8bd2cdab975fc457ce243cf7fa51f8d0a6ce2212095e2ee870e0cc4ab
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/stex/test.js
            MD5: a91ae54c937a7306a8c82bd9da682e73
            SHA1: 0a545df491f8ba15bcb6ef2782ee806850078988
            SHA256:efcccc4ad3ec6620b3a95d353c0bba6dfc6f32fb058e38868b19535248939e6d
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/verilog/test.js
            MD5: 5ac651a7ec64a4d0a5b2cd097543c671
            SHA1: 52b939b3956b31bab591b7f82d431752b797ebfa
            SHA256:dda06eb7f6340f2025f2e1b266276f315742482b1032921d45113fbcbd326c93
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/xml/test.js
            MD5: f0f8a054173a6e53218f842ae5aeff22
            SHA1: c3bee2b4b92aa9fd54072f5eb441bdfc6503536f
            SHA256:731b3043b4c52f87a073abcbd508bf1a13287788a7e9223324aae8f94b6a8949
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            test.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/xquery/test.js
            MD5: b8dc222e40ffae02ec0c96bc7ab02253
            SHA1: 111f0ef334aefe803ea24c0da11f6d0005b98fbc
            SHA256:f046daf6c5cb61fd2872c2ecf00bd36adf3919c94c52d76d951afa6757d399c2
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tg.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/tg.js
            MD5: e9e9ca2c0d35a076332b7ef1a019d567
            SHA1: 957d64a400c1623179a3aa95576180250a906ca4
            SHA256:aecbae628a35e88debe2ab21b39ad3b4225bbe193e8e7de77f1d19e959019413
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            th_TH.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/th_TH.js
            MD5: 151c8b2348e371f175d2df9a83b4f30c
            SHA1: 66929da845a573e06e9233a785d36e727fafaaeb
            SHA256:01c5570b91381c493a7b162b2c74538921bdb2036f8b61480af3300119b513af
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            theme.min.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/themes/modern/theme.min.js
            MD5: 564c5df5e7f98ae88d546732251aeab2
            SHA1: b3d39a2ce54d0feac289fd99728ee7fe82235413
            SHA256:5f2f62892526e1263b7935a955882eb63d45aa63202647243eca8567f2de7109
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tiddlywiki.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/tiddlywiki/tiddlywiki.js
            MD5: c9398c746692b4438587986269738e9c
            SHA1: a9259e4f9484b2c83b817f8ee2ece1e2dcc98837
            SHA256:6581b90cbeeb1b54d3c90b9705242683a4086816b9406067fd2f15cbd2635230
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tiki.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/tiki/tiki.js
            MD5: bdb304d1d861846750712db7e17609ad
            SHA1: 0994192c5b898a17a9d855e4f86d2095cb8e316d
            SHA256:87e318cfbcbc8881a9dbfbe001ddefd9ce75f28d627e42e5cca38b67a76c424e
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tinymce.min.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/tinymce.min.js
            MD5: cff318ac01b54b7f6185a490c10b3aba
            SHA1: 666cf7062cf3abd62fff47dbae1ea33647fdae28
            SHA256:103b025747e23bade7dab601fdb686dd1b8bccc0fa7fef1b81b0068f4c7f5001
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            toml.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/toml/toml.js
            MD5: 8af9cca741817962c5f2d622a74aeb8c
            SHA1: 5b26519ea81bb85bab787c7e6504c5a764f0b39a
            SHA256:9736fe6ac4f62361ae714f6069d4c72dd21d9d0b0576e59b2b61f186e78c6770
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tr_TR.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/tr_TR.js
            MD5: 1febc0c38e785ee056954b471cbb0624
            SHA1: ac96fea2c47eb037cbd2fcfa3bba122469090773
            SHA256:28ba9ecb19af26525c0d3a199de12ab493718b04e7e263d654d7c8d34e6805e4
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            trailingspace.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/edit/trailingspace.js
            MD5: 53775246494a906f35c176064b0e1790
            SHA1: 01165ec2ca285f8fb5e8a1dcf757eada0567fe60
            SHA256:b8a4e04ba32dc3432adbab269edb7346387e30f544dedf4dbdbac5b17c02de76
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            tt.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/tt.js
            MD5: e7dcfca6e1f11a6ffcc88cb1227a5dc1
            SHA1: eda5a05cbc2f9bdea9f03c149a852505b7093bff
            SHA256:0f11a77c9b395948f6b73758643c5140457bd47600cd1a1209c87305933ee992
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            turtle.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/turtle/turtle.js
            MD5: 0fda5baff014aedb1efafc21228789bb
            SHA1: ef3db0644053d05a8b009d4a79088a96134215a0
            SHA256:7ad3c41d3a77c99d4ec6d8a5f66d3263183ab38136c267ee84f7373d44598f3b
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            twitter4j-2.0.10.jar

            Description:

            A Java library for the Twitter API

            License:

            BSD style: http://yusuke.homeip.net/twitter4j/en/LICENSE.txt
            File Path: /home/vaclav/.m2/repository/net/homeip/yusuke/twitter4j/2.0.10/twitter4j-2.0.10.jar
            MD5: 49730f953d7be7079b72e2ab636b37a9
            SHA1: c8b34e93f444f1f022c06da64ddc66c0ab881e70
            SHA256:3145370dc0efa152a8c4a7ec7ecd8ae1a16c03656079a7d2c2ef67b24135a89c
            Referenced In Project/Scope: OpenKM Web Application:compile
            twitter4j-2.0.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            ug.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/ug.js
            MD5: 0108df06dde4b58814709af674bfa67d
            SHA1: 0e196a1a53b381c59a5e317262c4dc79b876a259
            SHA256:dbeeb13b041482f07b4d1b7014435af6b2046dc88752ace9cc4584706015e4a1
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            uk.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/uk.js
            MD5: 5fc8070397b336aa1239d6b9e5238257
            SHA1: c7c2e58c532c75655b75ee53042419fda85dff65
            SHA256:4c82f649c3df27cd173b5feceaa1f8c9840967839310997d60a6bf82d3b4b905
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            uk_UA.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/uk_UA.js
            MD5: d0a387daa4de64a411dd2a9605a3806f
            SHA1: 1ef75e9fbdf48a9fc4a71b800ff8ff7fe3dad109
            SHA256:dc4ee9cdec7ad4da405d95affc26059d823704bf83f2906b8ac115e28c6a447e
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            utils.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/utils.js
            MD5: 5f9453e89d67ce3b66c3e1c2569b3173
            SHA1: 61436afead7ed4d7633f8f5e92c34927647dbe69
            SHA256:b313c0e96ed8f9c2516dd814ffbd899387243e0eb642cf000fd0da31731bef0d
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            validation-api-1.0.0.GA-sources.jar

            File Path: /home/vaclav/.m2/repository/javax/validation/validation-api/1.0.0.GA/validation-api-1.0.0.GA-sources.jar
            MD5: f816682933b59c5ffe32bdb4ab4bf628
            SHA1: 7a561191db2203550fbfa40d534d4997624cd369
            SHA256:a394d52a9b7fe2bb14f0718d2b3c8308ffe8f37e911956012398d55c9f9f9b54
            Referenced In Project/Scope: OpenKM Web Application:provided
            validation-api-1.0.0.GA-sources.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.gwt/gwt-user@2.8.2

            Identifiers

            validation-api-1.0.0.GA.jar

            Description:

                    Bean Validation (JSR-303) API.
                

            License:

            Apache License, Version 2.0: license.txt
            File Path: /home/vaclav/.m2/repository/javax/validation/validation-api/1.0.0.GA/validation-api-1.0.0.GA.jar
            MD5: 40c1ee909493066397a6d4d9f8d375d8
            SHA1: b6bd7f9d78f6fdaa3c37dae18a4bd298915f328e
            SHA256:e459f313ebc6db2483f8ceaad39af07086361b474fa92e40f442e8de5d9895dc
            Referenced In Project/Scope: OpenKM Web Application:compile
            validation-api-1.0.0.GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.hibernate/hibernate-validator@4.2.0.Final

            Identifiers

            vanadium-min.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/vanadium-min.js
            MD5: 71727055a43b609fc865e68538535ab4
            SHA1: f2f30b9f9de9ba11c7e83412a540c32aa317b1c4
            SHA256:aab828d86f70f6b82f5bb71f399e78c92ee1a45e7c98a5849c8ca17fc8edf4d6
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            vb.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/vb/vb.js
            MD5: 22de2d3acbccc5e74eaff8ace980a381
            SHA1: 772049b15341b5fc741f8c89c6fa1ce13d83f688
            SHA256:1dbda57d7bcec3716d0f21ade5746ae87ad4082814a5eb869e3c361f8ba1eaf0
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            vbscript.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/vbscript/vbscript.js
            MD5: d0c1b16ab2ff656d259991d6ef3abeda
            SHA1: 603caf8cd44c2c466e614ce332bf579cfb669a1a
            SHA256:1421c592dbfeafb44b1dc86492aa05ecfa1b96ed1a20650211d29f4a8406f252
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            velocity.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/velocity/velocity.js
            MD5: a4d7f47577676d599ba2bfc4bb7954ea
            SHA1: de7a01d923027d0512bb63f9e963fccd5a6b7bed
            SHA256:ec14554824a832edc766fe2ef0733df9fb6b78de5433a5804c18941582f78e0c
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            verilog.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/verilog/verilog.js
            MD5: ef520e90acdee48641791177475e3269
            SHA1: e6b3c5b64d63a63d69edadfd584d40e782641013
            SHA256:8ce2cf1329868c8a2da603bceaae118240b0fa2abecdc6e5b9683a16200f7e18
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            vi.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/vi.js
            MD5: e11661e0ceba12c19c54da4a4e7e1554
            SHA1: bdb97555bff4c1d6cbcaa1efc5aab60f681b0636
            SHA256:02d5a3b36b9cbb52f3aacb3f01dc50998c142d2c4f053b46aecf88c16c5dbdbd
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            vi_VN.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/vi_VN.js
            MD5: 36aec319a7d14e5f3a99162985d590b2
            SHA1: 6aa97494e602f9b43f06a39e24ee3e83a8d0624a
            SHA256:db7b9c1db0dae08ebc3b0dcab29d9f470799d47bf9511218d99729240fbeb6f5
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            viewer.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/preview/pdfjs/web/viewer.js
            MD5: 18872607f660948440a6e15b0010d1a4
            SHA1: a0e9caf5b2f0a79c2a08b0396b2c8d781e1b5f85
            SHA256:71c160c6bb3ca933b6b083ed1ce812a39430f3281e368d938d175d5152e94d52
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            wmf2svg-0.9.0.jar

            Description:

            WMF to SVG Converting Tool & Library

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/net/arnx/wmf2svg/0.9.0/wmf2svg-0.9.0.jar
            MD5: 0c8a52661f38bc4afabb0f9de8e6a86a
            SHA1: 7b27809b43acb48c1ca65d68219256192a5a887b
            SHA256:7250466116c453ab11279f5ddada6f0df06df6696a1aeda12b3625255acbe712
            Referenced In Project/Scope: OpenKM Web Application:compile
            wmf2svg-0.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

            Identifiers

            woodstox-core-5.1.0.jar

            Description:

                    Woodstox is a high-performance XML processor that
                    implements Stax (JSR-173), SAX2 and Stax2 APIs
                

            License:

            The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.1.0/woodstox-core-5.1.0.jar
            MD5: 88b7a2312146e237a9941b1f00bf456d
            SHA1: bd416e84cbd20cb5f2cf13c30b023e814a4d6107
            SHA256:6d6107c3e6aac8f1c3e3762b89164b329fb2b15ec0afc8961cf6c4dc355f10bf
            Referenced In Project/Scope: OpenKM Web Application:compile
            woodstox-core-5.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

            Identifiers

            CVE-2022-40152  

            Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
            CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            woodstox-core-asl-4.2.0.jar

            Description:

            Woodstox is a high-performance XML processor that
            implements Stax (JSR-173) and SAX2 APIs

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.2.0/woodstox-core-asl-4.2.0.jar
            MD5: ac7e73fcf52654c0642afdfccc7d9f57
            SHA1: 7a3784c65cfa5c0553f31d000b43346feb1f4ee3
            SHA256:5ccb662b21ed218aaf06fc0a46f8b78338bc4992a236b62b471fa3f2671ed0ae
            Referenced In Project/Scope: OpenKM Web Application:compile
            woodstox-core-asl-4.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@0.12.0

            Identifiers

            CVE-2022-40152  

            Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
            CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow

            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            worker.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/tern/worker.js
            MD5: e7d878b6ff56802451d357f81204a3b8
            SHA1: 259e1f0e7367fd4897574c33b1b44c5aab326b82
            SHA256:e40f2ebd2bd30bc578970283d781a5aeda439c1e17e12f3955254aa0f0c312e3
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            wsdl4j-1.6.1.jar

            Description:

            Java stub generator for WSDL

            License:

            CPL: http://www.opensource.org/licenses/cpl1.0.txt
            File Path: /home/vaclav/.m2/repository/wsdl4j/wsdl4j/1.6.1/wsdl4j-1.6.1.jar
            MD5: 333331aee2e0f65e846b9ef0e20432e5
            SHA1: 9e9cee064ec2c9c01e0cd6b8bffd1a7013d81f65
            SHA256:0d712ccfd0f0edbf9b0e6793c9562d8c2037bfd8878e9d46f476a68d6f83c11e
            Referenced In Project/Scope: OpenKM Web Application:compile
            wsdl4j-1.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.ws/spring-ws-core@2.1.4.RELEASE

            Identifiers

            wss4j-1.6.4.jar

            Description:

                    The Apache WSS4J project provides a Java implementation of the primary security standards 
                    for Web Services, namely the OASIS Web Services Security (WS-Security) specifications 
                    from the OASIS Web Services Security TC.
                

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/apache/ws/security/wss4j/1.6.4/wss4j-1.6.4.jar
            MD5: 02a33e0616383e8449f740d7062f78f7
            SHA1: 16b921983c7b6077a39da75f5edf24f3402adbbb
            SHA256:8776d6166c461ba49a244c84be839303734257c8b4eb7abf62adf344c846902b
            Referenced In Project/Scope: OpenKM Web Application:compile
            wss4j-1.6.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2015-0226  

            Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
            CWE-327 Use of a Broken or Risky Cryptographic Algorithm

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2011-2487  

            The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
            CWE-327 Use of a Broken or Risky Cryptographic Algorithm

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2014-3623  

            Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
            CWE-287 Improper Authentication

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2015-0227  

            Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

            References:

            Vulnerable Software & Versions: (show all)

            wss4j-policy-2.2.2.jar

            Description:

            Apache WSS4J parent pom

            License:

            http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/apache/wss4j/wss4j-policy/2.2.2/wss4j-policy-2.2.2.jar
            MD5: 86bf211e56c2eed3b153b872ab5b5ee4
            SHA1: cda28dfc691b430a0d78540da370388ad163f292
            SHA256:1a992c0a1b5745bd274beb84947f91da406703f42db2f13547531a5de0472e5e
            Referenced In Project/Scope: OpenKM Web Application:compile
            wss4j-policy-2.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-ws-security@3.2.6

            Identifiers

            xalan-2.7.1.jar

            Description:

                Xalan-Java is an XSLT processor for transforming XML documents into HTML,
                text, or other XML document types. It implements XSL Transformations (XSLT)
                Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
                the command line, in an applet or a servlet, or as a module in other program.
              

            File Path: /home/vaclav/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar
            MD5: d43aad24f2c143b675292ccfef487f9c
            SHA1: 75f1d83ce27bab5f29fff034fc74aa9f7266f22a
            SHA256:55a2e95144acf1abe44fea91c2948525c9b1f00fcaa1d10e753e92872ffbdd1e
            Referenced In Project/Scope: OpenKM Web Application:compile
            xalan-2.7.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

            Identifiers

            CVE-2014-0107  

            The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
            CWE-264 Permissions, Privileges, and Access Controls

            CVSSv2:
            • Base Score: HIGH (7.5)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-34169  

            The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
            CWE-681 Incorrect Conversion between Numeric Types

            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            xercesImpl-2.9.1.jar

            Description:

                Xerces2 is the next generation of high performance, fully compliant XML parsers in the
                Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
                a complete framework for building parser components and configurations that is extremely
                modular and easy to program.
              

            File Path: /home/vaclav/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
            MD5: f807f86d7d9db25edbfc782aca7ca2a9
            SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
            SHA256:6ae540a7c85c814ac64bea48016b3a6f45c95d4765f547fcc0053dc36c94ed5c
            Referenced In Project/Scope: OpenKM Web Application:compile
            xercesImpl-2.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.14

            Identifiers

            CVE-2012-0881  

            Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
            CWE-399 Resource Management Errors

            CVSSv2:
            • Base Score: HIGH (7.8)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
            CVSSv3:
            • Base Score: HIGH (7.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2013-4002  

            XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: HIGH (7.1)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2022-23437  

            There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
            CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

            CVSSv2:
            • Base Score: HIGH (7.1)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:C
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2017-10355 (OSSINDEX)  

            sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
            
            The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
            CWE-833 Deadlock

            CVSSv3:
            • Base Score: MEDIUM (5.900000095367432)
            • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:xerces:xercesImpl:2.9.1:*:*:*:*:*:*:*

            CVE-2018-2799  

            Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
            NVD-CWE-noinfo

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.3)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            CVE-2009-2625  

            XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
            NVD-CWE-Other

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

            References:

            Vulnerable Software & Versions: (show all)

            xml-apis-1.3.04.jar

            Description:

            xml-commons provides an Apache-hosted set of DOM, SAX, and 
                JAXP interfaces for use in other xml-based projects. Our hope is that we 
                can standardize on both a common version and packaging scheme for these 
                critical XML standards interfaces to make the lives of both our developers 
                and users easier. The External Components portion of xml-commons contains 
                interfaces that are defined by external standards organizations. For DOM, 
                that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
                JAXP it's Sun.

            File Path: /home/vaclav/.m2/repository/xml-apis/xml-apis/1.3.04/xml-apis-1.3.04.jar
            MD5: 9ae9c29e4497fc35a3eade1e6dd0bbeb
            SHA1: 90b215f48fe42776c8c7f6e3509ec54e84fd65ef
            SHA256:d404aa881eb9c5f7a4fb546e84ea11506cd417a72b5972e88eff17f43f9f8a64
            Referenced In Project/Scope: OpenKM Web Application:compile
            xml-apis-1.3.04.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.14

            Identifiers

            xml-fold.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/fold/xml-fold.js
            MD5: e064e5342614b3f859d9250635a6cdc7
            SHA1: 7b4a49564b646d1c15775bb87ed125d45ab15bf8
            SHA256:e51866c5053ff0e007c0169fbd237f2741b1bb4b30ae204f998fab13eaa58b42
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            xml-hint.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/hint/xml-hint.js
            MD5: 2518cfc347e5a11de902c509267378b5
            SHA1: 4955f990758d1a7a052d639a06189ae19392d1d4
            SHA256:4849491ef18b7bfb422b1360fcd3fe31b85d68ca1f46e979eb09e202ac5d1049
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            xml-resolver-1.2.jar

            Description:

            xml-commons provides an Apache-hosted set of DOM, SAX, and 
                JAXP interfaces for use in other xml-based projects. Our hope is that we 
                can standardize on both a common version and packaging scheme for these 
                critical XML standards interfaces to make the lives of both our developers 
                and users easier.

            File Path: /home/vaclav/.m2/repository/xml-resolver/xml-resolver/1.2/xml-resolver-1.2.jar
            MD5: 706c533146c1f4ee46b66659ea14583a
            SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
            SHA256:47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1
            Referenced In Project/Scope: OpenKM Web Application:compile
            xml-resolver-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

            Identifiers

            xml.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/xml/xml.js
            MD5: 5234b745fcb9e1538edb18f357c87b45
            SHA1: 617a14d7c0946b23d40efaf9c509d661ecaeb729
            SHA256:52627d94134b036958d52e579ef04b2b4c5932fb0ded31a016c4f5f53b42bd62
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            xmlbeans-2.6.0.jar

            Description:

            XmlBeans main jar

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar
            MD5: 6591c08682d613194dacb01e95c78c2c
            SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87
            SHA256:c77974359688b2823b48fa9a33da68559d64f8474441480d9df4f9e254332a96
            Referenced In Project/Scope: OpenKM Web Application:compile
            xmlbeans-2.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.poi/poi-ooxml-schemas@3.12

            Identifiers

            CVE-2021-23926  

            The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
            CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

            CVSSv2:
            • Base Score: MEDIUM (6.4)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
            CVSSv3:
            • Base Score: CRITICAL (9.1)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions: (show all)

            xmlgraphics-commons-1.5.jar

            Description:

                Apache XML Graphics Commons is a library that consists of several reusable 
                components used by Apache Batik and Apache FOP. Many of these components 
                can easily be used separately outside the domains of SVG and XSL-FO.
              

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/1.5/xmlgraphics-commons-1.5.jar
            MD5: 86090bc1cfbb6c7bb0efee2d6c6fd7b6
            SHA1: 7fb5c2b2c18f0e87fbe9bded16429a5d7cc2dc2b
            SHA256:43ef52b2596b14deb291edea2b260aa6983389a87b15e31d6a5a2c54cc17ce7a
            Referenced In Project/Scope: OpenKM Web Application:compile
            xmlgraphics-commons-1.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.docx4j/docx4j@3.1.0

            Identifiers

            CVE-2020-11988  

            Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.
            CWE-20 Improper Input Validation, CWE-918 Server-Side Request Forgery (SSRF)

            CVSSv2:
            • Base Score: MEDIUM (6.4)
            • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
            CVSSv3:
            • Base Score: HIGH (8.2)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:3.9/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            xmlschema-core-2.2.3.jar

            Description:

            Commons XMLSchema is a light weight schema object model that can be used to manipulate or
                    generate XML schema.

            License:

            http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/apache/ws/xmlschema/xmlschema-core/2.2.3/xmlschema-core-2.2.3.jar
            MD5: b4ccd232560c81023bfa2f17f7cd40ce
            SHA1: 920a9a3132f925554ae8432d9473c8806734a8ec
            SHA256:ffa13d70e827653d93dff3c76598a0821b29c7450538e139989f79fb2c5b4e65
            Referenced In Project/Scope: OpenKM Web Application:compile
            xmlschema-core-2.2.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.cxf/cxf-rt-frontend-jaxws@3.2.6

            Identifiers

            xmlsec-1.4.6.jar

            Description:

                    Apache Santuario supports XML-Signature Syntax and Processing,
                    W3C Recommendation 12 February 2002, and XML Encryption Syntax and
                    Processing, W3C Recommendation 10 December 2002. As of version 1.4,
                    the Java library supports the standard Java API JSR-105: XML Digital
                    Signature APIs.
                

            License:

            The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/apache/santuario/xmlsec/1.4.6/xmlsec-1.4.6.jar
            MD5: d2008d3b8d655b5fe0caac768af07c01
            SHA1: b56eff7e86e9efa2c32a1ab08693e2d6eb4b88de
            SHA256:ab68a81077c1a9d30bc9384e5340787041767c76a5fa704a96e4d30e29d41976
            Referenced In Project/Scope: OpenKM Web Application:compile
            xmlsec-1.4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4

            Identifiers

            CVE-2023-44483 (OSSINDEX)  

            All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
            
            
            Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-44483 for details
            CWE-532 Insertion of Sensitive Information into Log File

            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.apache.santuario:xmlsec:1.4.6:*:*:*:*:*:*:*

            CVE-2013-5823 (OSSINDEX)  

            Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security.
            CWE-400 Uncontrolled Resource Consumption

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.apache.santuario:xmlsec:1.4.6:*:*:*:*:*:*:*

            CVE-2013-2172 (OSSINDEX)  

            jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
            CWE-310 Cryptographic Issues

            CVSSv2:
            • Base Score: MEDIUM (4.300000190734863)
            • Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.apache.santuario:xmlsec:1.4.6:*:*:*:*:*:*:*

            CVE-2013-4517 (OSSINDEX)  

            Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
            CWE-399 Resource Management Errors

            CVSSv2:
            • Base Score: MEDIUM (4.300000190734863)
            • Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.apache.santuario:xmlsec:1.4.6:*:*:*:*:*:*:*

            xmltooling-1.3.2-1.jar

            Description:

                    XMLTooling-J is a low-level library that may be used to construct libraries that allow developers to work with
                    XML in a Java beans manner.
                

            License:

            Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/org/opensaml/xmltooling/1.3.2-1/xmltooling-1.3.2-1.jar
            MD5: 06de9a0632f8dc1064106e9bbaee66d5
            SHA1: 6446e9ac7e90667d6883ac583c402601dec75e34
            SHA256:f1527964c28ae3352681dafbdd0235f1d37b8c0b1c439280cf9e9b5a3cd4ca77
            Referenced In Project/Scope: OpenKM Web Application:compile
            xmltooling-1.3.2-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.ws.security/wss4j@1.6.4

            Identifiers

            CVE-2013-6440 (OSSINDEX)  

            The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
            CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

            CVSSv2:
            • Base Score: MEDIUM (5.0)
            • Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.opensaml:xmltooling:1.3.2-1:*:*:*:*:*:*:*

            CVE-2015-1796 (OSSINDEX)  

            The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
            CWE-254 7PK - Security Features

            CVSSv2:
            • Base Score: MEDIUM (4.300000190734863)
            • Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

            References:

            Vulnerable Software & Versions (OSSINDEX):

            • cpe:2.3:a:org.opensaml:xmltooling:1.3.2-1:*:*:*:*:*:*:*

            xom-1.2.5.jar

            Description:

            The XOM Dual Streaming/Tree API for Processing XML

            License:

            The GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
            File Path: /home/vaclav/.m2/repository/xom/xom/1.2.5/xom-1.2.5.jar
            MD5: 91b16b5b53ae0804671a57dbf7623fad
            SHA1: 4166493b9f04e91b858ba4150b28b4d197f8f8ea
            SHA256:0e22c49ab86a6533299160b95db9201fd7040f4f082e90d563ca7e8d972bbe3a
            Referenced In Project/Scope: OpenKM Web Application:compile
            xom-1.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.sf.jodreports/jodreports@2.4.0

            Identifiers

            xquery.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/xquery/xquery.js
            MD5: b4a810d4a16f8054c37003110e546ec9
            SHA1: f386e1b32f2ba753dc2f93bc12ec7d4ba28e3224
            SHA256:9fe6e3350a8644baa5bd8c447aa11fc97934d7905c8613c6e6dcfd5cddd576a1
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            yaml-lint.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/addon/lint/yaml-lint.js
            MD5: a71679086add6c29d3e09cea1b85b20f
            SHA1: 1ed369fc51572ee0b3be312eaf8fb7bea0071490
            SHA256:62aa5bf4f1118af3cb55aab3d0715a4f74d1ed4cdabed69b894e82c7080c6211
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            yaml.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/yaml/yaml.js
            MD5: 3f2167905ae87d3ee0ee6e47d4541fdc
            SHA1: d34899ccd053857792ade3fb0bab23df9452fafd
            SHA256:6e08438cad180a3d60d306a6b94bee5ad533a0bf2a15f9f7872adfbcc497df7a
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            z80.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/admin/js/codemirror/mode/z80/z80.js
            MD5: d3c341a86c18b525b6ee92dd798bfc51
            SHA1: 699e9c5beb64181f0cef422c31173b1f36ba4388
            SHA256:05a022695101b2266340b6f683da8bd8599436d1615f44770873440032370370
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            zh_CN.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/zh_CN.js
            MD5: 7f1c3a7567a21f306f64f25e98035c75
            SHA1: ea14080795d23458d0ab846babb394940961e920
            SHA256:3a4c801b1bdeed3c6e3c27a2907277316616989d5b0bd17690236ce751f25b97
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            zh_TW.js

            File Path: /home/vaclav/Projects/Beset/document-management-system/src/main/webapp/js/tinymce4/langs/zh_TW.js
            MD5: a831a2b2a8c50860e9bac90bddc5bdbb
            SHA1: bd7d762255b0893fbe83e598d8903f1b15f8fb3e
            SHA256:6e5fb355f570948bb5920adb17e1fb4d74dba82b3f7c1019d91c98d668cba5b1
            Referenced In Project/Scope: OpenKM Web Application

            Identifiers

            • None

            zip4j-1.3.2.jar

            Description:

            An open source java library to handle zip files

            License:

            Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
            File Path: /home/vaclav/.m2/repository/net/lingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar
            MD5: 67577b0541256ea89d15e0edb6d2a7b8
            SHA1: 4ba84e98ee017b74cb52f45962f929a221f3074c
            SHA256:c67098d430c574311432728ebd4c7c45672f9ccf5c64702eb6afb8816c22ad08
            Referenced In Project/Scope: OpenKM Web Application:compile
            zip4j-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.openkm/openkm@6.3.12

            Identifiers

            CVE-2018-1002202  

            zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
            CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

            CVSSv2:
            • Base Score: MEDIUM (5.8)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P
            CVSSv3:
            • Base Score: MEDIUM (6.5)
            • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:2.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2023-22899  

            Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
            CWE-346 Origin Validation Error

            CVSSv3:
            • Base Score: MEDIUM (5.9)
            • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:

            CVE-2022-24615  

            zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library.
            CWE-755 Improper Handling of Exceptional Conditions

            CVSSv2:
            • Base Score: MEDIUM (4.3)
            • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
            CVSSv3:
            • Base Score: MEDIUM (5.5)
            • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A

            References:

            Vulnerable Software & Versions:



            This report contains data retrieved from the National Vulnerability Database.
            This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
            This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
            This report may contain data retrieved from RetireJS.
            This report may contain data retrieved from the Sonatype OSS Index.